[pve-lxc-syscalld.git] / src / capability.rs

use std::io;
use std::os::raw::c_ulong;

use crate::{c_call, io_format_err};

bitflags::bitflags! {
    pub struct SecureBits: c_ulong {
        const NOROOT                        = 0b0_0000_0001;
        const NOROOT_LOCKED                 = 0b0_0000_0010;
        const NO_SETUID_FIXUP               = 0b0_0000_0100;
        const NO_SETUID_FIXUP_LOCKED        = 0b0_0000_1000;
        const KEEP_CAPS                     = 0b0_0001_0000;
        const KEEP_CAPS_LOCKED              = 0b0_0010_0000;
        const NO_CAP_AMBIENT_RAISE          = 0b0_0100_0000;
        const NO_CAP_AMBIENT_RAISE_LOCKED   = 0b0_1000_0000;

        const ALL_BITS                      = 0b0_0101_0101;
        const ALL_LOCKS                     = 0b0_1010_1010;
    }
}

impl SecureBits {
    pub fn apply(&self) -> io::Result<()> {
        c_call!(unsafe { libc::prctl(libc::PR_SET_SECUREBITS, self.bits()) })?;
        Ok(())
    }

    pub fn get_current() -> io::Result<Self> {
        let bits = c_call!(unsafe { libc::prctl(libc::PR_GET_SECUREBITS) })?;
        Self::from_bits(bits as _)
            .ok_or_else(|| io_format_err!("prctl() returned unknown securebits"))
    }
}
Commit	Line	Data
738dbfbe WB	1	use std::io;
	2	use std::os::raw::c_ulong;
	3
	4	use crate::{c_call, io_format_err};
	5
	6	bitflags::bitflags! {
	7	pub struct SecureBits: c_ulong {
bd05b957 WB	8	const NOROOT = 0b0_0000_0001;
	9	const NOROOT_LOCKED = 0b0_0000_0010;
	10	const NO_SETUID_FIXUP = 0b0_0000_0100;
	11	const NO_SETUID_FIXUP_LOCKED = 0b0_0000_1000;
	12	const KEEP_CAPS = 0b0_0001_0000;
	13	const KEEP_CAPS_LOCKED = 0b0_0010_0000;
	14	const NO_CAP_AMBIENT_RAISE = 0b0_0100_0000;
	15	const NO_CAP_AMBIENT_RAISE_LOCKED = 0b0_1000_0000;
738dbfbe	16
bd05b957 WB	17	const ALL_BITS = 0b0_0101_0101;
bd05b957 WB	18	const ALL_LOCKS = 0b0_1010_1010;
738dbfbe WB	19	}
	20	}
	21
	22	impl SecureBits {
	23	pub fn apply(&self) -> io::Result<()> {
	24	c_call!(unsafe { libc::prctl(libc::PR_SET_SECUREBITS, self.bits()) })?;
	25	Ok(())
	26	}
	27
	28	pub fn get_current() -> io::Result<Self> {
	29	let bits = c_call!(unsafe { libc::prctl(libc::PR_GET_SECUREBITS) })?;
	30	Self::from_bits(bits as _)
	31	.ok_or_else(\|\| io_format_err!("prctl() returned unknown securebits"))
	32	}
	33	}