pub struct CapabilityManager { /* private fields */ }Expand description
Security context that tracks capability state
Implementations§
Source§impl CapabilityManager
impl CapabilityManager
pub fn new() -> Self
Sourcepub fn drop_bounding_set(&mut self) -> Result<()>
pub fn drop_bounding_set(&mut self) -> Result<()>
Phase 1: Drop the bounding set and clear ambient/inheritable caps.
After this call, CAP_SETUID and CAP_SETGID remain in the effective set
so the caller can perform the identity switch (setuid/setgid). Call
[finalize_drop] after the identity switch to clear remaining caps.
This follows Docker/runc convention: bounding set is cleared first while CAP_SETPCAP is still in the effective set.
Sourcepub fn finalize_drop(&mut self) -> Result<()>
pub fn finalize_drop(&mut self) -> Result<()>
Phase 2: Clear all remaining capabilities (permitted + effective).
Call this AFTER the identity switch (setuid/setgid). If the process switched to a non-root UID, the kernel already cleared these sets; this call makes it explicit and verifies the result.
If no identity switch was needed (process stays root), this performs the actual clear.
Sourcepub fn drop_all(&mut self) -> Result<()>
pub fn drop_all(&mut self) -> Result<()>
Drop all capabilities in a single call (convenience wrapper).
Equivalent to calling [drop_bounding_set] then [finalize_drop].
Use the two-phase API when an identity switch is needed between phases.
Sourcepub fn drop_except(&mut self, keep: &[Capability]) -> Result<()>
pub fn drop_except(&mut self, keep: &[Capability]) -> Result<()>
Drop all capabilities except the specified ones
For most use cases, we drop ALL capabilities. This method is provided for special cases where specific capabilities are needed.
Sourcepub fn apply_sets(&mut self, sets: &CapabilitySets) -> Result<()>
pub fn apply_sets(&mut self, sets: &CapabilitySets) -> Result<()>
Apply explicit capability sets.
Bounding is handled as a drop-only upper bound; the remaining sets are set exactly to the provided values.
Sourcepub fn is_dropped(&self) -> bool
pub fn is_dropped(&self) -> bool
Check if capabilities have been dropped
Sourcepub fn verify_no_namespace_caps(production: bool) -> Result<()>
pub fn verify_no_namespace_caps(production: bool) -> Result<()>
Verify that namespace-creating capabilities are actually absent from the effective set. Seccomp blocks unshare, filters clone namespace flags, and returns ENOSYS for clone3; dropping these capabilities is the independent capability-layer guard. If the check fails in production mode, it returns an error; otherwise it emits a warning.