sandbox-core 0.2.1

Core types, errors, and capability detection for sandbox-rs
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133

//! Privilege mode configuration for sandbox execution

use crate::capabilities::SystemCapabilities;

/// Determines how the sandbox operates with respect to privileges
#[derive(Debug, Clone, Copy, PartialEq, Eq, Default)]
pub enum PrivilegeMode {
    /// Use only unprivileged mechanisms: user namespaces + seccomp + landlock + setrlimit.
    /// Does NOT require root. Fails if essential unprivileged features are unavailable.
    Unprivileged,

    /// Use all available mechanisms including privileged ones: all namespaces + cgroups + chroot + seccomp.
    /// Requires root. Fails if not running as root.
    Privileged,

    /// Automatically detect the best available mode.
    /// Uses privileged mode if running as root, otherwise falls back to unprivileged.
    #[default]
    Auto,
}

impl PrivilegeMode {
    /// Resolve Auto mode to a concrete mode based on system capabilities
    pub fn resolve(&self, caps: &SystemCapabilities) -> ResolvedMode {
        match self {
            PrivilegeMode::Privileged => ResolvedMode::Privileged,
            PrivilegeMode::Unprivileged => ResolvedMode::Unprivileged,
            PrivilegeMode::Auto => {
                if caps.has_root && caps.has_cgroup_v2 {
                    ResolvedMode::Privileged
                } else {
                    ResolvedMode::Unprivileged
                }
            }
        }
    }
}

/// A resolved (non-Auto) privilege mode
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum ResolvedMode {
    Unprivileged,
    Privileged,
}

impl ResolvedMode {
    pub fn is_privileged(&self) -> bool {
        matches!(self, ResolvedMode::Privileged)
    }

    pub fn is_unprivileged(&self) -> bool {
        matches!(self, ResolvedMode::Unprivileged)
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn default_is_auto() {
        assert_eq!(PrivilegeMode::default(), PrivilegeMode::Auto);
    }

    #[test]
    fn privileged_always_resolves_to_privileged() {
        let caps = SystemCapabilities {
            has_root: false,
            has_user_namespaces: false,
            has_seccomp: false,
            has_landlock: false,
            has_cgroup_v2: false,
            has_cgroup_delegation: false,
        };
        assert_eq!(
            PrivilegeMode::Privileged.resolve(&caps),
            ResolvedMode::Privileged
        );
    }

    #[test]
    fn unprivileged_always_resolves_to_unprivileged() {
        let caps = SystemCapabilities {
            has_root: true,
            has_user_namespaces: true,
            has_seccomp: true,
            has_landlock: true,
            has_cgroup_v2: true,
            has_cgroup_delegation: true,
        };
        assert_eq!(
            PrivilegeMode::Unprivileged.resolve(&caps),
            ResolvedMode::Unprivileged
        );
    }

    #[test]
    fn auto_resolves_to_privileged_when_root_with_cgroups() {
        let caps = SystemCapabilities {
            has_root: true,
            has_user_namespaces: true,
            has_seccomp: true,
            has_landlock: true,
            has_cgroup_v2: true,
            has_cgroup_delegation: true,
        };
        assert_eq!(PrivilegeMode::Auto.resolve(&caps), ResolvedMode::Privileged);
    }

    #[test]
    fn auto_resolves_to_unprivileged_without_root() {
        let caps = SystemCapabilities {
            has_root: false,
            has_user_namespaces: true,
            has_seccomp: true,
            has_landlock: true,
            has_cgroup_v2: true,
            has_cgroup_delegation: false,
        };
        assert_eq!(
            PrivilegeMode::Auto.resolve(&caps),
            ResolvedMode::Unprivileged
        );
    }

    #[test]
    fn resolved_mode_helpers() {
        assert!(ResolvedMode::Privileged.is_privileged());
        assert!(!ResolvedMode::Privileged.is_unprivileged());
        assert!(ResolvedMode::Unprivileged.is_unprivileged());
        assert!(!ResolvedMode::Unprivileged.is_privileged());
    }
}