#exec #memfd-create #command #seal #memfd

pentacle

Executes programs as sealed anonymous files on Linux

4 releases (1 stable)

1.0.0 Sep 30, 2020
0.2.0 Jun 23, 2020
0.1.1 Mar 16, 2020
0.1.0 Nov 15, 2019

#660 in Unix APIs

Download history 1269/week @ 2024-01-05 923/week @ 2024-01-12 659/week @ 2024-01-19 1116/week @ 2024-01-26 1064/week @ 2024-02-02 1163/week @ 2024-02-09 1327/week @ 2024-02-16 893/week @ 2024-02-23 945/week @ 2024-03-01 471/week @ 2024-03-08 1635/week @ 2024-03-15 769/week @ 2024-03-22 920/week @ 2024-03-29 1032/week @ 2024-04-05 1212/week @ 2024-04-12 945/week @ 2024-04-19

4,225 downloads per month
Used in 3 crates

MIT license

10KB
121 lines

pentacle

pentacle is a library for executing programs as sealed anonymous files on Linux, using memfd_create(2).

This is useful for executing programs that execute untrusted programs with root permissions, or ensuring a cryptographically-verified program is not tampered with after verification but before execution.

This library is based on runc's cloned_binary.c.


lib.rs:

pentacle is a library for executing programs as sealed anonymous files on Linux, using memfd_create(2).

This is useful for executing programs that execute untrusted programs with root permissions, or ensuring a cryptographically-verified program is not tampered with after verification but before execution.

The library provides a wrapper around Command as well as two helper functions for programs that execute sealed versions of themselves.

fn main() {
    pentacle::ensure_sealed().unwrap();

    // The rest of your code
}

Dependencies

~130KB