harborshield 0.1.0

A Rust port of Whalewall, to automate management of firewall rules for Docker containers
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

#[cfg(target_os = "linux")]
pub mod capabilities;
#[cfg(target_os = "linux")]
pub mod landlock;
#[cfg(target_os = "linux")]
pub mod seccomp;

pub mod error;

pub use error::{Result, SecurityError};
use std::path::Path;

/// Check if the process has all required capabilities
pub fn check_capabilities() -> Result<()> {
    #[cfg(target_os = "linux")]
    {
        capabilities::check_required_capabilities()?;
    }

    #[cfg(not(target_os = "linux"))]
    {
        tracing::debug!("Capability checking is only available on Linux");
    }

    Ok(())
}

pub fn apply_restrictions(db_path: &Path, log_path: Option<&Path>) -> Result<()> {
    #[cfg(target_os = "linux")]
    {
        // Apply landlock restrictions
        landlock::apply_landlock_rules(db_path, log_path)?;

        // Apply seccomp filters
        seccomp::apply_seccomp_filters()?;
    }

    #[cfg(not(target_os = "linux"))]
    {
        tracing::warn!("Security restrictions are only available on Linux");
        let _ = (db_path, log_path); // Avoid unused variable warnings
    }

    Ok(())
}