gaol/platform/linux/
mod.rs

1// Copyright 2015 The Rust Project Developers. See the COPYRIGHT
2// file at the top-level directory of this distribution and at
3// http://rust-lang.org/COPYRIGHT.
4//
5// Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or
6// http://www.apache.org/licenses/LICENSE-2.0> or the MIT license
7// <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your
8// option. This file may not be copied, modified, or distributed
9// except according to those terms.
10
11use platform::linux::seccomp::Filter;
12use platform::unix::process::Process;
13use profile::{self, AddressPattern, OperationSupport, OperationSupportLevel, Profile};
14use sandbox::{ChildSandboxMethods, Command, SandboxMethods};
15
16use std::io;
17
18pub mod misc;
19pub mod namespace;
20pub mod seccomp;
21
22#[allow(missing_copy_implementations)]
23#[derive(Clone, Debug)]
24pub struct Operation;
25
26impl OperationSupport for profile::Operation {
27    fn support(&self) -> OperationSupportLevel {
28        match *self {
29            profile::Operation::FileReadAll(_) |
30            profile::Operation::NetworkOutbound(AddressPattern::All) => {
31                OperationSupportLevel::CanBeAllowed
32            }
33            profile::Operation::FileReadMetadata(_) |
34            profile::Operation::NetworkOutbound(AddressPattern::Tcp(_)) |
35            profile::Operation::NetworkOutbound(AddressPattern::LocalSocket(_)) => {
36                OperationSupportLevel::CannotBeAllowedPrecisely
37            }
38            profile::Operation::SystemInfoRead |
39            profile::Operation::PlatformSpecific(_) => OperationSupportLevel::NeverAllowed,
40        }
41    }
42}
43
44pub struct Sandbox {
45    profile: Profile,
46}
47
48impl Sandbox {
49    pub fn new(profile: Profile) -> Sandbox {
50        Sandbox {
51            profile: profile,
52        }
53    }
54
55    #[cfg(dump_bpf_sockets)]
56    fn dump_filter(&self) {
57        let filter = Filter::new(&self.profile);
58        filter.dump();
59    }
60
61    #[cfg(not(dump_bpf_sockets))]
62    fn dump_filter(&self) {}
63}
64
65impl SandboxMethods for Sandbox {
66    fn profile(&self) -> &Profile {
67        &self.profile
68    }
69
70    fn start(&self, command: &mut Command) -> io::Result<Process> {
71        self.dump_filter();
72        namespace::start(&self.profile, command)
73    }
74}
75
76pub struct ChildSandbox {
77    profile: Profile,
78}
79
80impl ChildSandbox {
81    pub fn new(profile: Profile) -> ChildSandbox {
82        ChildSandbox {
83            profile: profile,
84        }
85    }
86}
87
88impl ChildSandboxMethods for ChildSandbox {
89    fn activate(&self) -> Result<(),()> {
90        if namespace::activate(&self.profile).is_err() {
91            return Err(())
92        }
93        if misc::activate().is_err() {
94            return Err(())
95        }
96        match Filter::new(&self.profile).activate() {
97            Ok(_) => Ok(()),
98            Err(_) => Err(()),
99        }
100    }
101}
102
gaol/platform/linux/mod.rs

gaol/platform/linux/
mod.rs
