rappct 0.13.3

Rust AppContainer / LPAC toolkit for Windows (profiles, capabilities, process launch, diagnostics).
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

//! Diagnostics and configuration validation (skeleton). Feature: `introspection`
#![allow(clippy::undocumented_unsafe_blocks)]

use crate::capability::{SecurityCapabilities, derive_named_capability_sids};
use crate::launch::LaunchOptions;

#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum ConfigWarning {
    LpacWithoutCommonCaps,
    NoNetworkCaps,
}

pub fn validate_configuration(
    sec: &SecurityCapabilities,
    opts: &LaunchOptions,
) -> Vec<ConfigWarning> {
    let mut out = Vec::new();
    let _ = opts;
    // LPAC: advise enabling common defaults if not present
    if sec.lpac {
        // registryRead + lpacCom
        if let Ok(required) = derive_named_capability_sids(&["registryRead", "lpacCom"]) {
            let have = &sec.caps;
            let mut missing = 0;
            for r in required {
                if !have.iter().any(|h| h.sid_sddl == r.sid_sddl) {
                    missing += 1;
                }
            }
            if missing > 0 {
                out.push(ConfigWarning::LpacWithoutCommonCaps);
            }
        }
    }
    // Network caps: warn if none of the known networking caps are present
    if let Ok(net_caps) = derive_named_capability_sids(&[
        "internetClient",
        "internetClientServer",
        "privateNetworkClientServer",
    ]) {
        let any = sec
            .caps
            .iter()
            .any(|h| net_caps.iter().any(|n| n.sid_sddl == h.sid_sddl));
        if !any {
            out.push(ConfigWarning::NoNetworkCaps);
        }
    }
    out
}