Skip to main content

sandlock_core/
error.rs

1use thiserror::Error;
2
3/// Root error type for all sandlock operations.
4#[derive(Debug, Error)]
5pub enum SandlockError {
6    #[error("sandbox error: {0}")]
7    Sandbox(#[from] SandboxError),
8
9    #[error("process error: {0}")]
10    Runtime(#[from] SandboxRuntimeError),
11
12    #[error("memory protection error: {0}")]
13    MemoryProtect(String),
14
15    #[error("handler error: {0}")]
16    Handler(#[from] crate::seccomp::dispatch::HandlerError),
17}
18
19/// Errors from sandbox configuration validation and building.
20#[derive(Debug, Error)]
21pub enum SandboxError {
22    #[error("invalid sandbox: {0}")]
23    Invalid(String),
24
25    #[error("max_cpu must be 1-100, got {0}")]
26    InvalidCpuPercent(u8),
27
28    #[error("confine() only accepts Landlock filesystem policy; unsupported fields: {0}")]
29    UnsupportedForConfine(String),
30
31    #[error("chroot path {path} does not exist or is inaccessible: {source}")]
32    ChrootNotFound {
33        path: std::path::PathBuf,
34        #[source]
35        source: std::io::Error,
36    },
37}
38
39/// Errors from the sandbox process runtime (fork, confinement, child, etc.).
40#[derive(Debug, Error)]
41pub enum SandboxRuntimeError {
42    #[error("fork failed: {0}")]
43    Fork(#[source] std::io::Error),
44
45    #[error("confinement failed: {0}")]
46    Confinement(#[from] ConfinementError),
47
48    #[error("child process error: {0}")]
49    Child(String),
50
51    #[error("branch error: {0}")]
52    Branch(#[from] BranchError),
53
54    #[error("sandbox not running")]
55    NotRunning,
56
57    #[error("io error: {0}")]
58    Io(#[from] std::io::Error),
59}
60
61#[derive(Debug, Error)]
62pub enum ConfinementError {
63    #[error("landlock unavailable: {0}")]
64    LandlockUnavailable(String),
65
66    #[error("landlock ABI v{required} required (kernel has v{actual}): {feature}")]
67    InsufficientAbi {
68        required: u32,
69        actual: u32,
70        feature: String,
71    },
72
73    #[error("landlock error: {0}")]
74    Landlock(String),
75
76    #[error("seccomp error: {0}")]
77    Seccomp(#[from] SeccompError),
78}
79
80#[derive(Debug, Error)]
81pub enum SeccompError {
82    #[error("seccomp filter installation failed: {0}")]
83    FilterInstall(String),
84
85    #[error("notification error: {0}")]
86    Notif(#[from] NotifError),
87}
88
89#[derive(Debug, Error)]
90pub enum NotifError {
91    #[error("notification supervisor error: {0}")]
92    Supervisor(String),
93
94    #[error("child memory read failed: {0}")]
95    ChildMemoryRead(#[source] std::io::Error),
96
97    #[error("notification ioctl failed: {0}")]
98    Ioctl(#[source] std::io::Error),
99}
100
101#[derive(Debug, Error)]
102pub enum BranchError {
103    #[error("branch operation failed: {0}")]
104    Operation(String),
105
106    #[error("branch conflict: {0}")]
107    Conflict(String),
108
109    #[error("disk quota exceeded")]
110    QuotaExceeded,
111
112    #[error("file already exists")]
113    Exists,
114}
115
116/// Convenience type alias.
117pub type Result<T> = std::result::Result<T, SandlockError>;