pub fn confine_current_process(policy: &Policy) -> Result<(), SandlockError>Expand description
Confine the calling process with Landlock restrictions.
This applies PR_SET_NO_NEW_PRIVS and Landlock rules from the policy’s
filesystem (fs_readable, fs_writable) fields. IPC and signal
isolation are always enabled. The confinement is irreversible.
fs_denied is not enforced here because it requires supervisor-mediated
path interception rather than Landlock’s allowlist model.
Network, seccomp, resource limits, and other policy fields are ignored.
This does NOT fork or exec — it confines the current process in-place.