Trait landlock::Compatible

source · 
pub trait Compatible {
    // Required method
    fn set_best_effort(self, best_effort: bool) -> Self;
}
Expand description

Properly handles runtime unsupported features.

This guarantees consistent behaviors across crate users and runtime kernels even if this crate get new features. It eases backward compatibility and enables future-proofness.

Landlock is a security feature designed to help improve security of a running system thanks to application developers. To protect users as much as possible, compatibility with the running system should then be handled in a best-effort way, contrary to common system features. In some circumstances (e.g. applications carefully designed to only be run with a specific set of kernel features), it may be required to error out if some of these features are not available and will then not be enforced.

Required Methods§

source

fn set_best_effort(self, best_effort: bool) -> Self

To enable a best-effort security approach, Landlock features that are not supported by the running system are silently ignored by default, which is a sane choice for most use cases. However, on some rare circumstances, developers may want to have some guarantees that their applications will not run if a certain level of sandboxing is not possible. If you really want to error out when not all your requested requirements are met, then you can configure it with set_best_effort(false).

The order of this call is important because it defines the behavior of the following method calls that return a Result. If set_best_effort(false) is called on an object, then a CompatError may be returned for the next method calls, until the next call to set_best_effort(true). This enables to change the behavior of a set of build calls, for instance to be sure that the sandbox will at least restrict some access rights.

Example

Create a ruleset which will at least support execution constraints.

use landlock::{
    Access, AccessFs, Compatible, PathBeneath, Ruleset, RulesetAttr, RulesetCreated, RulesetError,
    ABI,
};

fn ruleset_fragile() -> Result<RulesetCreated, RulesetError> {
    Ok(Ruleset::new()
        // This ruleset must handle at least the execute access.
        .set_best_effort(false)
        // This handle_access() call will return
        // a wrapped AccessError<AccessFs>::Incompatible error
        // if the running kernel can't handle AccessFs::Execute.
        .handle_access(AccessFs::Execute)?
        // This ruleset may also handle other access rights
        // if they are supported by the running kernel.
        // Because handle_access() replaces the previously set value,
        // the new value must be a superset of AccessFs::Execute.
        .set_best_effort(true)
        .handle_access(AccessFs::from_all(ABI::V1))?
        .create()?)
}

Implementors§