Struct gaol::profile::Profile

source ·
pub struct Profile {
    allowed_operations: Vec<Operation>,
}
Expand description

A sandbox profile, which specifies the set of operations that this process is allowed to perform. Operations not in the list are implicitly prohibited.

If the process attempts to perform an operation in the list that this platform can prohibit after the sandbox is entered via activate(), the operation will either fail or the process will be immediately terminated. You can check whether an operation can be prohibited on this platform with Operation::prohibition_support().

All profiles implicitly prohibit at least the following operations. Future versions of gaol may add operations to selectively allow these.

  • Opening any file for writing.

  • Creating new processes.

  • Opening named pipes or System V IPC resources.

  • Accessing System V semaphores.

  • Sending signals to other processes.

  • Tracing other processes.

  • Accepting inbound network connections.

  • Any operation that requires superuser privileges on the current operating system.

All profiles implicitly allow the following operations:

  • All pure computation (user-mode CPU instructions that do not cause a context switch to supervisor mode).

  • Memory allocation (for example, via brk or anonymous mmap on Unix).

  • Use of synchronization primitives (mutexes, condition variables).

  • Changing memory protection and use policies: for example, marking pages non-writable or informing the kernel that memory pages may be discarded. (It may be possible to restrict this in future versions.)

  • Spawning new threads.

  • Responding to signals (e.g. signal, sigaltstack).

  • Read, write, and memory map of already-opened file descriptors or handles.

  • Determining how much has been sent on a file descriptor.

  • Sending or receiving on already-opened sockets, including control messages on Unix.

  • I/O multiplexing on already-opened sockets and/or file descriptors (select/poll).

  • Opening and closing file descriptors and sockets (but not necessarily connecting them to anything).

  • Determining the user ID.

  • Querying and altering thread scheduling options such as CPU affinity.

  • Exiting the process.

Because of platform limitations, patterns within one profile are not permitted to overlap; the behavior is undefined if they do. For example, you may not allow metadata reads of the subpath rooted at /dev while allowing full reads of /dev/null; you must instead allow full reads of /dev or make the profile more restrictive.

Fields§

§allowed_operations: Vec<Operation>

Implementations§

source§

impl Profile

source

pub fn new(allowed_operations: Vec<Operation>) -> Result<Profile, ()>

Creates a new profile with the given set of allowed operations.

If the operations cannot be allowed precisely on this platform, this returns an error. You can then inspect the operations via OperationSupport::support() to see which ones cannot be allowed and modify the set of allowed operations as necessary. We are deliberately strict here to reduce the probability of applications accidentally allowing operations due to platform limitations.

source

pub fn allowed_operations(&self) -> &[Operation]

Returns the list of allowed operations.

Trait Implementations§

source§

impl Clone for Profile

source§

fn clone(&self) -> Profile

Returns a copy of the value. Read more
1.0.0 · source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
source§

impl Debug for Profile

source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more

Auto Trait Implementations§

Blanket Implementations§

source§

impl<T> Any for T
where T: 'static + ?Sized,

source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
source§

impl<T> Borrow<T> for T
where T: ?Sized,

source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
source§

impl<T> CloneToUninit for T
where T: Clone,

source§

unsafe fn clone_to_uninit(&self, dst: *mut T)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dst. Read more
source§

impl<T> From<T> for T

source§

fn from(t: T) -> T

Returns the argument unchanged.

source§

impl<T, U> Into<U> for T
where U: From<T>,

source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

source§

impl<T> ToOwned for T
where T: Clone,

source§

type Owned = T

The resulting type after obtaining ownership.
source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

source§

type Error = Infallible

The type returned in the event of a conversion error.
source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.