Crate rappct

Crate rappct 

Source
Expand description

rappct — Rust AppContainer / LPAC toolkit (Windows)

Windows implementations for AppContainer profiles, capabilities, secure process launch (AC/LPAC), token introspection, ACLs, optional network isolation helpers, and diagnostics.

MSRV: Rust 1.90. See README for tooling/CI details.

Tour:

  • Capabilities: derive SIDs by known or named capability strings.
  • Launch: start AC/LPAC processes with optional I/O pipes and job limits.
  • Diagnostics: feature introspection surfaces helpful configuration warnings.
  • Network helpers: feature net for enumeration and loopback RAII guard.

Capability catalog: see docs/capabilities.md in the repository for common capability SIDs and starter sets, plus links to Microsoft documentation.

Quick example: launch with pipes and job limits

use rappct::{
    AppContainerProfile, KnownCapability, SecurityCapabilitiesBuilder,
    launch::LaunchOptions, launch::StdioConfig, launch::JobLimits,
    launch_in_container,
};
let profile = AppContainerProfile::ensure("rappct.sample", "rappct", Some("demo"))?;
let caps = SecurityCapabilitiesBuilder::new(&profile.sid)
    .with_known(&[KnownCapability::InternetClient])
    .build()?;
let opts = LaunchOptions {
    exe: "C:/Windows/System32/cmd.exe".into(),
    cmdline: Some(" /C echo hello".into()),
    stdio: StdioConfig::Pipe,
    join_job: Some(JobLimits { memory_bytes: Some(32 * 1024 * 1024), cpu_rate_percent: None, kill_on_job_close: true }),
    ..Default::default()
};
let child = launch_in_container(&caps, &opts)?;

Testing note: in CI or local tests you can force LPAC support detection via the RAPPCT_TEST_LPAC_STATUS environment variable (ok or unsupported).

Refer to CONTRIBUTING.md for engineering conventions and contribution guidance.

Re-exports§

pub use capability::KnownCapability;
pub use capability::SecurityCapabilities;
pub use capability::SecurityCapabilitiesBuilder;
pub use launch::JobLimits;
pub use launch::LaunchOptions;
pub use launch::Launched;
pub use launch::StdioConfig;
pub use launch::launch_in_container;
pub use launch::LaunchedIo;Windows
pub use launch::launch_in_container_with_io;Windows
pub use profile::AppContainerProfile;
pub use profile::derive_sid_from_name;
pub use sid::AppContainerSid;

Modules§

acl
ACL helpers for files/directories and registry keys (DACL grant).
capability
Capability mapping and builders.
diagintrospection
Diagnostics and configuration validation (skeleton). Feature: introspection
launch
Process launch in AppContainer / LPAC with STARTUPINFOEX and security capabilities.
netnet
Network isolation helpers (skeleton). Feature: net
profile
AppContainer profile management (skeleton).
sid
AppContainer SID wrappers (skeleton). In v0.2 this will own PSIDs properly.
token
Token introspection (skeleton).
util
Shared utility helpers for platform interop.

Enums§

AcError

Functions§

supports_lpac
Returns Ok(()) if LPAC is supported on this OS (Windows 10 1703+).

Type Aliases§

Result