// Copyright 2015 The Rust Project Developers. See the COPYRIGHT
// file at the top-level directory of this distribution and at
// http://rust-lang.org/COPYRIGHT.
//
// Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or
// http://www.apache.org/licenses/LICENSE-2.0> or the MIT license
// <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your
// option. This file may not be copied, modified, or distributed
// except according to those terms.
//! Sandbox profiles—lists of permitted operations.
use platform;
use PathBuf;
/// A sandbox profile, which specifies the set of operations that this process is allowed to
/// perform. Operations not in the list are implicitly prohibited.
///
/// If the process attempts to perform an operation in the list that this platform can prohibit
/// after the sandbox is entered via `activate()`, the operation will either fail or the process
/// will be immediately terminated. You can check whether an operation can be prohibited on this
/// platform with `Operation::prohibition_support()`.
///
/// All profiles implicitly prohibit *at least* the following operations. Future versions of `gaol`
/// may add operations to selectively allow these.
///
/// * Opening any file for writing.
///
/// * Creating new processes.
///
/// * Opening named pipes or System V IPC resources.
///
/// * Accessing System V semaphores.
///
/// * Sending signals to other processes.
///
/// * Tracing other processes.
///
/// * Accepting inbound network connections.
///
/// * Any operation that requires superuser privileges on the current operating system.
///
/// All profiles implicitly *allow* the following operations:
///
/// * All pure computation (user-mode CPU instructions that do not cause a context switch to
/// supervisor mode).
///
/// * Memory allocation (for example, via `brk` or anonymous `mmap` on Unix).
///
/// * Use of synchronization primitives (mutexes, condition variables).
///
/// * Changing memory protection and use policies: for example, marking pages non-writable or
/// informing the kernel that memory pages may be discarded. (It may be possible to restrict
/// this in future versions.)
///
/// * Spawning new threads.
///
/// * Responding to signals (e.g. `signal`, `sigaltstack`).
///
/// * Read, write, and memory map of already-opened file descriptors or handles.
///
/// * Determining how much has been sent on a file descriptor.
///
/// * Sending or receiving on already-opened sockets, including control messages on Unix.
///
/// * I/O multiplexing on already-opened sockets and/or file descriptors (`select`/`poll`).
///
/// * Opening and closing file descriptors and sockets (but not necessarily connecting them
/// to anything).
///
/// * Determining the user ID.
///
/// * Querying and altering thread scheduling options such as CPU affinity.
///
/// * Exiting the process.
///
/// Because of platform limitations, patterns within one profile are not permitted to overlap; the
/// behavior is undefined if they do. For example, you may not allow metadata reads of the subpath
/// rooted at `/dev` while allowing full reads of `/dev/null`; you must instead allow full reads of
/// `/dev` or make the profile more restrictive.
/// An operation that this process is allowed to perform.
/// Describes a path or paths on the filesystem.
/// Describes a network address.
/// How precisely an operation can be allowed on this platform.
/// Allows operations to be queried to determine how precisely they can be allowed on this
/// platform.