sandlock_core/
error.rs

1use thiserror::Error;
2
3/// Root error type for all sandlock operations.
4#[derive(Debug, Error)]
5pub enum SandlockError {
6    #[error("sandbox error: {0}")]
7    Sandbox(#[from] SandboxError),
8
9    #[error("process error: {0}")]
10    Runtime(#[from] SandboxRuntimeError),
11
12    #[error("memory protection error: {0}")]
13    MemoryProtect(String),
14
15    #[error("handler error: {0}")]
16    Handler(#[from] crate::seccomp::dispatch::HandlerError),
17}
18
19/// Errors from sandbox configuration validation and building.
20#[derive(Debug, Error)]
21pub enum SandboxError {
22    #[error("invalid sandbox: {0}")]
23    Invalid(String),
24
25    #[error("fs_isolation requires workdir to be set")]
26    FsIsolationRequiresWorkdir,
27
28    #[error("max_cpu must be 1-100, got {0}")]
29    InvalidCpuPercent(u8),
30
31    #[error("confine() only accepts Landlock filesystem policy; unsupported fields: {0}")]
32    UnsupportedForConfine(String),
33}
34
35/// Errors from the sandbox process runtime (fork, confinement, child, etc.).
36#[derive(Debug, Error)]
37pub enum SandboxRuntimeError {
38    #[error("fork failed: {0}")]
39    Fork(#[source] std::io::Error),
40
41    #[error("confinement failed: {0}")]
42    Confinement(#[from] ConfinementError),
43
44    #[error("child process error: {0}")]
45    Child(String),
46
47    #[error("branch error: {0}")]
48    Branch(#[from] BranchError),
49
50    #[error("sandbox not running")]
51    NotRunning,
52
53    #[error("io error: {0}")]
54    Io(#[from] std::io::Error),
55}
56
57#[derive(Debug, Error)]
58pub enum ConfinementError {
59    #[error("landlock unavailable: {0}")]
60    LandlockUnavailable(String),
61
62    #[error("landlock ABI v{required} required (kernel has v{actual}): {feature}")]
63    InsufficientAbi {
64        required: u32,
65        actual: u32,
66        feature: String,
67    },
68
69    #[error("landlock error: {0}")]
70    Landlock(String),
71
72    #[error("seccomp error: {0}")]
73    Seccomp(#[from] SeccompError),
74}
75
76#[derive(Debug, Error)]
77pub enum SeccompError {
78    #[error("seccomp filter installation failed: {0}")]
79    FilterInstall(String),
80
81    #[error("notification error: {0}")]
82    Notif(#[from] NotifError),
83}
84
85#[derive(Debug, Error)]
86pub enum NotifError {
87    #[error("notification supervisor error: {0}")]
88    Supervisor(String),
89
90    #[error("child memory read failed: {0}")]
91    ChildMemoryRead(#[source] std::io::Error),
92
93    #[error("notification ioctl failed: {0}")]
94    Ioctl(#[source] std::io::Error),
95}
96
97#[derive(Debug, Error)]
98pub enum BranchError {
99    #[error("branch operation failed: {0}")]
100    Operation(String),
101
102    #[error("branch conflict: {0}")]
103    Conflict(String),
104
105    #[error("disk quota exceeded")]
106    QuotaExceeded,
107
108    #[error("file already exists")]
109    Exists,
110}
111
112/// Convenience type alias.
113pub type Result<T> = std::result::Result<T, SandlockError>;
sandlock_core/error.rs

sandlock_core/
error.rs
