Skip to main content

LandlockManager

nucleus::security

Struct LandlockManager 

Source 
pub struct LandlockManager { /* private fields */ }
Expand description

Landlock filesystem access-control manager

Implements fine-grained, path-based filesystem restrictions as an additional defense layer on top of namespaces, capabilities, and seccomp.

Properties (matching Nucleus security invariants):

  • Irreversible: once restrict_self() is called, restrictions cannot be lifted
  • Stackable: layered with seccomp and capability dropping
  • Unprivileged: works in rootless mode

Implementations§

Source§

impl LandlockManager

Source

pub fn new() -> Self

Source

pub fn add_rw_path(&mut self, path: &str)

Register additional paths that need read+write access. Used for volume mounts that aren’t under the default allowed paths.

Source

pub fn apply_container_policy(&mut self) -> Result<bool>

Apply the container Landlock policy.

Rules:

  • / (root): read-only traversal (ReadDir) so path resolution works
  • /bin, /usr: read + execute (for running agent binaries)
  • /lib, /lib64: read (shared libraries)
  • /etc: read (config / resolv.conf / nsswitch)
  • /dev: read (already minimal device nodes)
  • /proc: read (already mounted read-only)
  • /tmp: read + write + create + remove (agent scratch space)
  • /context: read-only (pre-populated agent data)

Everything else is denied by the ruleset.

Source

pub fn assert_minimum_abi(&self, production_mode: bool) -> Result<()>

Assert that the kernel supports at least the minimum Landlock ABI version required for production workloads.

Returns Ok(()) if the ABI is sufficient, or Err if the kernel is too old. In best-effort mode, a too-old kernel is logged but not fatal.

Source

pub fn apply_container_policy_with_mode( &mut self, best_effort: bool, ) -> Result<bool>

Apply with configurable failure behavior.

When best_effort is true, failures (e.g. kernel without Landlock) are logged and execution continues.

Source

pub fn apply_execute_allowlist_policy( &mut self, allowed_roots: &[PathBuf], best_effort: bool, ) -> Result<bool>

Apply an execute-only allowlist for host-side supervisor processes.

This policy handles only LANDLOCK_ACCESS_FS_EXECUTE, leaving normal read/write access untouched. It is intended for runtimes like gVisor that need a narrow post-namespace executable allowlist while still blocking arbitrary host executable and setuid-wrapper execs after the supervisor has entered its setup namespace.

Source

pub fn is_applied(&self) -> bool

Check if Landlock policy has been applied

Trait Implementations§

Source§

impl Default for LandlockManager

Source§

fn default() -> Self

Returns the “default value” for a type. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more