Expand description
pentacle is a library for executing programs as sealed anonymous files on Linux, using
memfd_create(2)
.
This is useful for executing programs that execute untrusted programs with root permissions, or ensuring a cryptographically-verified program is not tampered with after verification but before execution.
The library provides a wrapper around Command
as well as two helper
functions, ensure_sealed
and is_sealed
, for programs that execute sealed versions of
themselves.
fn main() {
pentacle::ensure_sealed().unwrap();
// The rest of your code
}
Lower-level control over the creation and sealing of anonymous files is available via
SealOptions
.
Structs§
- The
Error::source
returned bySealOptions::seal
if required seals are not present. - Options for creating a sealed anonymous file.
- A
Command
wrapper that spawns sealed memory-backed programs.
Functions§
- Ensure the currently running program is a sealed anonymous file.
- Verify whether the currently running program is a sealed anonymous file.