Struct landlock::RulesetCreated

pub struct RulesetCreated { /* private fields */ }

Ruleset created with Ruleset::create().

Implementations

impl RulesetCreated

pub fn restrict_self(self) -> Result<RestrictionStatus, RulesetError>

Attempts to restrict the calling thread with the ruleset according to the best-effort configuration (see RulesetCreated::set_compatibility() and CompatLevel::BestEffort). Call prctl(2) with the PR_SET_NO_NEW_PRIVS according to the ruleset configuration.

On error, returns a wrapped RestrictSelfError.

pub fn try_clone(&self) -> Result<Self>

Creates a new RulesetCreated instance by duplicating the underlying file descriptor. Rule modification will affect both RulesetCreated instances simultaneously.

On error, returns std::io::Error.

Trait Implementations

impl AsMut<RulesetCreated> for RulesetCreated

fn as_mut(&mut self) -> &mut RulesetCreated

Converts this type into a mutable reference of the (usually inferred) input type.

impl Compatible for &mut RulesetCreated

fn set_compatibility(self, level: CompatLevel) -> Self

To enable a best-effort security approach, Landlock features that are not supported by the running system are silently ignored by default, which is a sane choice for most use cases. However, on some rare circumstances, developers may want to have some guarantees that their applications will not run if a certain level of sandboxing is not possible. If we really want to error out when not all our requested requirements are met, then we can configure it with set_compatibility().

fn set_best_effort(self, best_effort: bool) -> Self

where Self: Sized,

👎Deprecated: Use set_compatibility() instead

Cf. set_compatibility():

impl Compatible for RulesetCreated

fn set_compatibility(self, level: CompatLevel) -> Self

To enable a best-effort security approach, Landlock features that are not supported by the running system are silently ignored by default, which is a sane choice for most use cases. However, on some rare circumstances, developers may want to have some guarantees that their applications will not run if a certain level of sandboxing is not possible. If we really want to error out when not all our requested requirements are met, then we can configure it with set_compatibility().

fn set_best_effort(self, best_effort: bool) -> Self

where Self: Sized,

👎Deprecated: Use set_compatibility() instead

Cf. set_compatibility():

impl Drop for RulesetCreated

fn drop(&mut self)

Executes the destructor for this type.

impl RulesetCreatedAttr for &mut RulesetCreated

fn add_rule<T, U>(self, rule: T) -> Result<Self, RulesetError>

where T: Rule<U>, U: Access,

Attempts to add a new rule to the ruleset.

fn add_rules<I, T, U, E>(self, rules: I) -> Result<Self, E>

where I: IntoIterator<Item = Result<T, E>>, T: Rule<U>, U: Access, E: From<RulesetError>,

Attempts to add a set of new rules to the ruleset.

fn set_no_new_privs(self, no_new_privs: bool) -> Self

Configures the ruleset to call prctl(2) with the PR_SET_NO_NEW_PRIVS command in restrict_self().

impl RulesetCreatedAttr for RulesetCreated

fn add_rule<T, U>(self, rule: T) -> Result<Self, RulesetError>

where T: Rule<U>, U: Access,

Attempts to add a new rule to the ruleset.

fn add_rules<I, T, U, E>(self, rules: I) -> Result<Self, E>

where I: IntoIterator<Item = Result<T, E>>, T: Rule<U>, U: Access, E: From<RulesetError>,

Attempts to add a set of new rules to the ruleset.

fn set_no_new_privs(self, no_new_privs: bool) -> Self

Configures the ruleset to call prctl(2) with the PR_SET_NO_NEW_PRIVS command in restrict_self().