Skip to main content

UnixSocketCapability

nono::capability

Struct UnixSocketCapability 

Source 
pub struct UnixSocketCapability {
    pub original: PathBuf,
    pub resolved: PathBuf,
    pub scope: SocketScope,
    pub mode: UnixSocketMode,
    pub source: CapabilitySource,
}
Expand description

A capability granting AF_UNIX socket access on a filesystem path.

Only pathname sockets (filesystem-backed) are grantable through this type. Abstract-namespace sockets (sun_path[0] == '\0') and unnamed sockets are never covered by a grant — see issue #685 for the design note. Those kinds are denied by the sandbox’s decide_network_notification policy on Linux and have no analog on macOS.

Invariants:

  • path-canonicalize: canonicalised at construction. For ConnectBind grants where the socket itself doesn’t yet exist, we canonicalise the parent directory and re-append the final component (bind creates the socket file).
  • lib-policy-free: this is a pure data type. Policy coupling (e.g. auto-granting an implied FsCapability) lives in nono-cli.

Fields§

§original: PathBuf

Original path as specified by the caller, pre-canonicalisation. Retained for diagnostic output and for macOS dual-path emission (/tmp/foo.sock vs /private/tmp/foo.sock).

§resolved: PathBuf

Canonical absolute path.

§scope: SocketScope

Path matching scope for this grant.

§mode: UnixSocketMode

Which socket operations are permitted.

§source: CapabilitySource

Where this capability originated.

Implementations§

Source§

impl UnixSocketCapability

Source

pub fn new_file(path: impl AsRef<Path>, mode: UnixSocketMode) -> Result<Self>

Grant for a single socket file.

If mode == Connect, the path must already exist and must not be a directory.

If mode == ConnectBind, the path may not yet exist (bind creates it). In that case the parent directory must exist; canonicalisation resolves the parent and re-appends the final path component.

Source

pub fn new_dir(path: impl AsRef<Path>, mode: UnixSocketMode) -> Result<Self>

Grant for any pathname socket directly within a directory.

Non-recursive: a socket one level deeper (e.g. <dir>/subdir/foo.sock) is not covered. The directory itself must already exist.

Rejects the filesystem root (/) as defence-in-depth against accidental grants that would cover sockets anywhere at top level (cf. [validate_platform_rule]’s rejection of root-level subpath grants for filesystem rules). Use explicit subdirectory paths.

Source

pub fn new_dir_subtree( path: impl AsRef<Path>, mode: UnixSocketMode, ) -> Result<Self>

Grant for any pathname socket within a directory subtree.

Recursive: sockets in nested subdirectories are covered. The directory itself must already exist.

Source

pub fn covers(&self, sockaddr_path: &Path) -> bool

True if sockaddr_path is covered by this grant.

  • File grants: sockaddr_path == resolved exactly.
  • Direct-child directory grants: sockaddr_path’s parent equals resolved, component-wise (non-recursive).
  • Subtree directory grants: sockaddr_path starts with resolved, component-wise.

Uses Path component semantics; never string prefix (path-component-compare invariant).

Source

pub fn is_directory(&self) -> bool

Whether this grant is directory-backed.

Trait Implementations§

Source§

impl Clone for UnixSocketCapability

Source§

fn clone(&self) -> UnixSocketCapability

Returns a duplicate of the value. Read more
1.0.0 (const: unstable) · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for UnixSocketCapability

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl<'de> Deserialize<'de> for UnixSocketCapability

Source§

fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
where D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer. Read more
Source§

impl Display for UnixSocketCapability

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Serialize for UnixSocketCapability

Source§

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>
where __S: Serializer,

Serialize this value into the given Serde serializer. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> DynClone for T
where T: Clone,

Source§

fn __clone_box(&self, _: Private) -> *mut ()

Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> Pointable for T

Source§

const ALIGN: usize

The alignment of pointer.
Source§

type Init = T

The type for initializers.
Source§

unsafe fn init(init: <T as Pointable>::Init) -> usize

Initializes a with the given initializer. Read more
Source§

unsafe fn deref<'a>(ptr: usize) -> &'a T

Dereferences the given pointer. Read more
Source§

unsafe fn deref_mut<'a>(ptr: usize) -> &'a mut T

Mutably dereferences the given pointer. Read more
Source§

unsafe fn drop(ptr: usize)

Drops the object pointed to by the given pointer. Read more
Source§

impl<T> PolicyExt for T
where T: ?Sized,

Source§

fn and<P, B, E>(self, other: P) -> And<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow only if self and other return Action::Follow. Read more
Source§

fn or<P, B, E>(self, other: P) -> Or<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow if either self or other returns Action::Follow. Read more
Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T> ToString for T
where T: Display + ?Sized,

Source§

fn to_string(&self) -> String

Converts the given value to a String. Read more
Source§

impl<T> ToStringFallible for T
where T: Display,

Source§

fn try_to_string(&self) -> Result<String, TryReserveError>

ToString::to_string, but without panic on OOM.

Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V

Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

impl<T> DeserializeOwned for T
where T: for<'de> Deserialize<'de>,