Re-exports§
pub use crate::oci::*;
Structs§
- Capability
Manager - Security context that tracks capability state
- Capability
Sets - Caps
Policy - Parsed capability policy from a TOML file.
- GVisor
OciRun Options - Options for running an OCI bundle with gVisor.
- GVisor
Runtime - GVisor runtime manager
- Landlock
Manager - Landlock filesystem access-control manager
- Landlock
Policy - Parsed Landlock policy from a TOML file.
- Seccomp
Deny Logger - Reads
/dev/kmsgfor SECCOMP deny records and emits WARN-level logs. - Seccomp
Manager - Seccomp filter manager
- Seccomp
Profile - OCI-format seccomp profile (subset).
- Seccomp
Trace Reader - Reads
/dev/kmsgfor SECCOMP audit records and collects unique syscalls.
Enums§
- GVisor
Network Mode - Network mode for gVisor runtime.
- GVisor
Platform - Platform backend for gVisor’s Sentry.
- Security
State - Security state machine matching Nucleus_Security_SecurityEnforcement.tla
Functions§
- generate_
from_ trace - Generate a minimal seccomp profile from a trace file.
- load_
json_ policy - Load and parse a JSON policy file with optional SHA-256 verification.
- load_
toml_ policy - Load and parse a TOML policy file with optional SHA-256 verification.
- sha256_
hex - Compute the SHA-256 hex digest of a byte slice.