Skip to main content

CapabilityManager

nucleus::security

Struct CapabilityManager

pub struct CapabilityManager { /* private fields */ }

Expand description

Security context that tracks capability state

Implementations§

impl CapabilityManager

pub fn new() -> Self

pub fn drop_all(&mut self) -> Result<()>

Drop all capabilities

This implements the transition: Privileged -> CapabilitiesDropped in the security state machine (Nucleus_Security_SecurityEnforcement.tla)

pub fn drop_except(&mut self, keep: &[Capability]) -> Result<()>

Drop all capabilities except the specified ones

For most use cases, we drop ALL capabilities. This method is provided for special cases where specific capabilities are needed.

pub fn apply_sets(&mut self, sets: &CapabilitySets) -> Result<()>

Apply explicit capability sets.

Bounding is handled as a drop-only upper bound; the remaining sets are set exactly to the provided values.

pub fn is_dropped(&self) -> bool

Check if capabilities have been dropped

pub fn verify_no_namespace_caps(production: bool) -> Result<()>

Verify that namespace-creating capabilities are actually absent from the effective set. This is a runtime guard for the clone3 seccomp invariant: clone3 cannot be argument-filtered at the BPF level, so we rely on CAP_SYS_ADMIN (et al.) being dropped to prevent namespace creation. If the check fails in production mode, it returns an error; otherwise it emits a warning.

Trait Implementations§

impl Default for CapabilityManager

fn default() -> Self

Returns the “default value” for a type. Read more

Auto Trait Implementations§

impl Freeze for CapabilityManager

impl RefUnwindSafe for CapabilityManager

impl Send for CapabilityManager

impl Sync for CapabilityManager

impl Unpin for CapabilityManager

impl UnsafeUnpin for CapabilityManager

impl UnwindSafe for CapabilityManager

Blanket Implementations§

impl<T> Any for T
where T: 'static + ?Sized,

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more

impl<T> Borrow<T> for T
where T: ?Sized,

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more

impl<T> BorrowMut<T> for T
where T: ?Sized,

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more

impl<T> From<T> for T

fn from(t: T) -> T

Returns the argument unchanged.

impl<T> Instrument for T

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more

impl<T, U> Into<U> for T
where U: From<T>,

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

impl<T> Same for T

type Output = T

Should always be Self

impl<T, U> TryFrom<U> for T
where U: Into<T>,

type Error = Infallible

The type returned in the event of a conversion error.

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.

impl<T> WithSubscriber for T

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more