Expand description
System capability checking.
Verifies at runtime that the kernel supports all required features for sandboxing.
The check is performed once and cached in a static OnceLock.
§Required Features
| Feature | Minimum | Check Method |
|---|---|---|
| Kernel | 5.13 | uname syscall |
| Landlock | ABI 1 | landlock_create_ruleset with VERSION flag |
| User NS | enabled | /proc/sys/kernel/unprivileged_userns_clone or fork+unshare test |
| Seccomp | enabled | prctl(PR_GET_SECCOMP) |
§Usage
ⓘ
match check::check() {
Ok(info) => println!("Landlock ABI: {}", info.landlock_abi),
Err(e) => eprintln!("System not supported: {}", e),
}§User Namespaces
User namespace support varies by distribution:
- Debian/Ubuntu:
/proc/sys/kernel/unprivileged_userns_clone - NixOS/Fedora:
/proc/sys/user/max_user_namespaces - Fallback: Fork + unshare test
Structs§
- System
Info - Information about the system’s sandboxing capabilities.
Enums§
- Check
Error - Errors that can occur during system capability checking.
Functions§
- check
- Check system capabilities and cache the result.