Skip to main content

sandlock_core/
error.rs

1use thiserror::Error;
2
3/// Root error type for all sandlock operations.
4#[derive(Debug, Error)]
5pub enum SandlockError {
6    #[error("policy error: {0}")]
7    Policy(#[from] PolicyError),
8
9    #[error("sandbox error: {0}")]
10    Sandbox(#[from] SandboxError),
11
12    #[error("memory protection error: {0}")]
13    MemoryProtect(String),
14}
15
16#[derive(Debug, Error)]
17pub enum PolicyError {
18    #[error("invalid policy: {0}")]
19    Invalid(String),
20
21    #[error("deny_syscalls and allow_syscalls are mutually exclusive")]
22    MutuallyExclusiveSyscalls,
23
24    #[error("fs_isolation requires workdir to be set")]
25    FsIsolationRequiresWorkdir,
26
27    #[error("max_cpu must be 1-100, got {0}")]
28    InvalidCpuPercent(u8),
29}
30
31#[derive(Debug, Error)]
32pub enum SandboxError {
33    #[error("fork failed: {0}")]
34    Fork(#[source] std::io::Error),
35
36    #[error("confinement failed: {0}")]
37    Confinement(#[from] ConfinementError),
38
39    #[error("child process error: {0}")]
40    Child(String),
41
42    #[error("branch error: {0}")]
43    Branch(#[from] BranchError),
44
45    #[error("sandbox not running")]
46    NotRunning,
47
48    #[error("io error: {0}")]
49    Io(#[from] std::io::Error),
50}
51
52#[derive(Debug, Error)]
53pub enum ConfinementError {
54    #[error("landlock unavailable: {0}")]
55    LandlockUnavailable(String),
56
57    #[error("landlock ABI v{required} required (kernel has v{actual}): {feature}")]
58    InsufficientAbi {
59        required: u32,
60        actual: u32,
61        feature: String,
62    },
63
64    #[error("landlock error: {0}")]
65    Landlock(String),
66
67    #[error("seccomp error: {0}")]
68    Seccomp(#[from] SeccompError),
69}
70
71#[derive(Debug, Error)]
72pub enum SeccompError {
73    #[error("seccomp filter installation failed: {0}")]
74    FilterInstall(String),
75
76    #[error("notification error: {0}")]
77    Notif(#[from] NotifError),
78}
79
80#[derive(Debug, Error)]
81pub enum NotifError {
82    #[error("notification supervisor error: {0}")]
83    Supervisor(String),
84
85    #[error("child memory read failed: {0}")]
86    ChildMemoryRead(#[source] std::io::Error),
87
88    #[error("notification ioctl failed: {0}")]
89    Ioctl(#[source] std::io::Error),
90}
91
92#[derive(Debug, Error)]
93pub enum BranchError {
94    #[error("branch operation failed: {0}")]
95    Operation(String),
96
97    #[error("branch conflict: {0}")]
98    Conflict(String),
99}
100
101/// Convenience type alias.
102pub type Result<T> = std::result::Result<T, SandlockError>;