rappct

Rust toolkit for working with Windows AppContainer (AC) and Low Privilege AppContainer (LPAC) security boundaries.

rappct packages the underlying Windows APIs into a cohesive crate so that you can create, manage, and launch AppContainer-aware workloads from Rust with minimal boilerplate. It is designed for security-sensitive automation that needs to compose profiles, capabilities, process launches, ACL helpers, and diagnostics in one place.

• Status: Actively developed. Windows paths are implemented first; non-Windows hosts return UnsupportedPlatform.
• MSRV: Rust 1.90 (stable).

Highlights

• AppContainer profile lifecycle helpers (create, open, delete) and profile path resolution.
• Capability derivation via DeriveCapabilitySidsFromName, with ergonomic builders for known and custom capability SIDs.
• Secure process launch helpers (AC/LPAC) with STARTUPINFOEX, optional job object integration, and stdio redirection.
• Token inspection helpers to understand the effective AppContainer/LPAC context at runtime.
• Optional modules for diagnostics (introspection) and network loopback management (net).
• ACL utilities to grant/revoke filesystem and registry access for package SIDs.

Prerequisites

Getting Started

# Clone the repository
git clone https://github.com/cpjet64/rappct.git
cd rappct

# Build the library
cargo build

# Run the example CLI
cargo run --example acrun -- --help

The crate is structured as a binary-agnostic library. Bring it into your own project with either a Git dependency or a crates.io release:

cargo add rappct --git https://github.com/cpjet64/rappct.git

Usage Snapshot

use rappct::{AppContainerProfile, KnownCapability, LaunchOptions, SecurityCapabilitiesBuilder, launch_in_container};

fn main() -> rappct::Result<()> {
    let profile = AppContainerProfile::ensure("demo.rappct", "Demo", Some("rappct example"))?;
    let caps = SecurityCapabilitiesBuilder::new(&profile.sid)
        .with_known(&[KnownCapability::InternetClient])
        .with_lpac_defaults() // opt in to LPAC defaults when required
        .build()?;

    let opts = LaunchOptions { exe: "C:/Windows/System32/notepad.exe".into(), ..Default::default() };
    let child = launch_in_container(&caps, &opts)?;
    println!("child pid: {}", child.pid);
    Ok(())
}

Feature Flags

Disable unused features for the leanest runtime surface; APIs gracefully return AcError::Unimplemented when a feature is not compiled in.

Diagnostics & Security Considerations

• LPAC capabilities are opt-in; call SecurityCapabilitiesBuilder::with_lpac_defaults() explicitly.
• Loopback exemptions via the net feature are meant for debug scenarios only. Production use should rely on standard firewall policy.
• When something fails due to missing capabilities or OS prerequisites, rappct surfaces detailed error messages instead of falling back silently. Use supports_lpac() to guard LPAC-specific code paths. For tests/CI, you can set RAPPCT_TEST_LPAC_STATUS=ok|unsupported to force detection.

Repository Layout

• src/ — core library modules (capabilities, launch, ACLs, diagnostics).
• examples/ — runnable samples such as acrun for quick CLI exploration.
• tests/ — integration tests covering launch/ACL/token behaviours on Windows.

Development Workflow

cargo fmt
cargo clippy --all-targets --all-features
cargo test --all-targets --all-features

Run Windows-specific scenarios in an elevated PowerShell session when the tests require loopback exemptions or ACL adjustments.

Contributing

Contributions are welcome! Please:

1. Open an issue using the provided template before starting major work.
2. Discuss API-affecting changes early to avoid churn.
3. Include tests and documentation updates alongside code changes.
4. Run the checks listed in the PR template before submitting.

See CONTRIBUTING.md for style and review guidelines.

Security

Please report vulnerabilities privately through the GitHub Security Advisory workflow.

License

This project is licensed under the MIT license.