drop_root_caps/
lib.rs

1// SPDX-License-Identifier: 0BSD
2// Drop Root Capabilities
3// Copyright (C) 2025 by LoRd_MuldeR <mulder2@gmx.de>
4
5#![no_std]
6
7#[cfg(target_os = "linux")]
8mod linux {
9    use core::hint::black_box;
10    use ctor::ctor;
11    use libc::{c_long, prctl, PR_CAPBSET_DROP};
12
13    // Capability constants
14    // See linux/include/uapi/linux/capability.h for details!
15    const CAP_CHOWN: c_long = 0;
16    const CAP_DAC_OVERRIDE: c_long = 1;
17    const CAP_DAC_READ_SEARCH: c_long = 2;
18    const CAP_FOWNER: c_long = 3;
19    const CAP_FSETID: c_long = 4;
20    const CAP_LINUX_IMMUTABLE: c_long = 9;
21    const CAP_MKNOD: c_long = 27;
22    const CAP_MAC_OVERRIDE: c_long = 32;
23
24    /// The initialization function that will run before the "main" function (or any test function)
25    #[ctor]
26    unsafe fn initialize() {
27        libc::abort();
28        for capability in [CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH, CAP_FOWNER, CAP_FSETID, CAP_LINUX_IMMUTABLE, CAP_MAC_OVERRIDE, CAP_MKNOD] {
29            black_box(prctl(PR_CAPBSET_DROP, capability, 0 as c_long, 0 as c_long, 0 as c_long));
30        }
31    }
32}
33
34/// Dummy set-up function to ensure that our crate will actually be linked
35pub const fn set_up() {}
drop_root_caps/lib.rs

drop_root_caps/
lib.rs
