Function pentacle::ensure_sealed

pub fn ensure_sealed() -> Result<()>

Ensure the currently running program is a sealed anonymous file.

If /proc/self/exe is not a sealed anonymous file, a new anonymous file is created, /proc/self/exe is copied to it, the file is sealed, and CommandExt::exec is called. When the program begins again, this function will detect /proc/self/exe as a sealed anonymous file and return Ok(()).

You should call this function at the beginning of main. This function has the same implications as CommandExt::exec: no destructors on the current stack or any other thread’s stack will be run.

Errors

An error is returned if /proc/self/exe fails to open, memfd_create(2) fails, the fcntl(2) F_ADD_SEALS command fails, or copying from /proc/self/exe to the anonymous file fails.