drop-root-caps 1.0.2

A simple crate to drop 'root' user capabilities on Linux
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

// SPDX-License-Identifier: 0BSD
// Drop Root Capabilities
// Copyright (C) 2025 by LoRd_MuldeR <mulder2@gmx.de>

#![no_std]
#![cfg(target_os = "linux")]

use ctor::ctor;
use libc::{c_long, prctl, PR_CAPBSET_DROP};

// Capability constants
// See linux/include/uapi/linux/capability.h for details!
const CAP_CHOWN: c_long = 0;
const CAP_DAC_OVERRIDE: c_long = 1;
const CAP_DAC_READ_SEARCH: c_long = 2;
const CAP_FOWNER: c_long = 3;
const CAP_FSETID: c_long = 4;
const CAP_LINUX_IMMUTABLE: c_long = 9;
const CAP_MKNOD: c_long = 27;
const CAP_MAC_OVERRIDE: c_long = 32;

#[used]
static SENTINEL: u32 = 42u32;

/// The initialization function that will run before the "main" function (or any test function)
#[ctor]
unsafe fn initialize() {
    for capability in [CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH, CAP_FOWNER, CAP_FSETID, CAP_LINUX_IMMUTABLE, CAP_MAC_OVERRIDE, CAP_MKNOD] {
        prctl(PR_CAPBSET_DROP, capability, 0 as c_long, 0 as c_long, 0 as c_long);
    }
}