pub struct Profile {
allowed_operations: Vec<Operation>,
}
Expand description
A sandbox profile, which specifies the set of operations that this process is allowed to perform. Operations not in the list are implicitly prohibited.
If the process attempts to perform an operation in the list that this platform can prohibit
after the sandbox is entered via activate()
, the operation will either fail or the process
will be immediately terminated. You can check whether an operation can be prohibited on this
platform with Operation::prohibition_support()
.
All profiles implicitly prohibit at least the following operations. Future versions of gaol
may add operations to selectively allow these.
-
Opening any file for writing.
-
Creating new processes.
-
Opening named pipes or System V IPC resources.
-
Accessing System V semaphores.
-
Sending signals to other processes.
-
Tracing other processes.
-
Accepting inbound network connections.
-
Any operation that requires superuser privileges on the current operating system.
All profiles implicitly allow the following operations:
-
All pure computation (user-mode CPU instructions that do not cause a context switch to supervisor mode).
-
Memory allocation (for example, via
brk
or anonymousmmap
on Unix). -
Use of synchronization primitives (mutexes, condition variables).
-
Changing memory protection and use policies: for example, marking pages non-writable or informing the kernel that memory pages may be discarded. (It may be possible to restrict this in future versions.)
-
Spawning new threads.
-
Responding to signals (e.g.
signal
,sigaltstack
). -
Read, write, and memory map of already-opened file descriptors or handles.
-
Determining how much has been sent on a file descriptor.
-
Sending or receiving on already-opened sockets, including control messages on Unix.
-
I/O multiplexing on already-opened sockets and/or file descriptors (
select
/poll
). -
Opening and closing file descriptors and sockets (but not necessarily connecting them to anything).
-
Determining the user ID.
-
Querying and altering thread scheduling options such as CPU affinity.
-
Exiting the process.
Because of platform limitations, patterns within one profile are not permitted to overlap; the
behavior is undefined if they do. For example, you may not allow metadata reads of the subpath
rooted at /dev
while allowing full reads of /dev/null
; you must instead allow full reads of
/dev
or make the profile more restrictive.
Fields§
§allowed_operations: Vec<Operation>
Implementations§
source§impl Profile
impl Profile
sourcepub fn new(allowed_operations: Vec<Operation>) -> Result<Profile, ()>
pub fn new(allowed_operations: Vec<Operation>) -> Result<Profile, ()>
Creates a new profile with the given set of allowed operations.
If the operations cannot be allowed precisely on this platform, this returns an error. You
can then inspect the operations via OperationSupport::support()
to see which ones cannot
be allowed and modify the set of allowed operations as necessary. We are deliberately
strict here to reduce the probability of applications accidentally allowing operations due
to platform limitations.
sourcepub fn allowed_operations(&self) -> &[Operation]
pub fn allowed_operations(&self) -> &[Operation]
Returns the list of allowed operations.
Trait Implementations§
Auto Trait Implementations§
impl Freeze for Profile
impl RefUnwindSafe for Profile
impl Send for Profile
impl Sync for Profile
impl Unpin for Profile
impl UnwindSafe for Profile
Blanket Implementations§
source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
source§impl<T> CloneToUninit for Twhere
T: Clone,
impl<T> CloneToUninit for Twhere
T: Clone,
source§unsafe fn clone_to_uninit(&self, dst: *mut T)
unsafe fn clone_to_uninit(&self, dst: *mut T)
clone_to_uninit
)