Lib.rs

Operating systemsUnix APIs
#sealed #programs #run-command #memfd-create #exec #command #root-permissions #memfd

pentacle

Executes programs as sealed anonymous files on Linux

by iliana etaoin

5 releases (2 stable)

1.1.0 Oct 3, 2024
1.0.0 Sep 30, 2020
0.2.0 Jun 23, 2020
0.1.1 Mar 16, 2020
0.1.0 Nov 15, 2019

#569 in Unix APIs

Download history 315/week @ 2025-03-24 361/week @ 2025-03-31 353/week @ 2025-04-07 762/week @ 2025-04-14 216/week @ 2025-04-21 190/week @ 2025-04-28 135/week @ 2025-05-05 229/week @ 2025-05-12 274/week @ 2025-05-19 229/week @ 2025-05-26 172/week @ 2025-06-02 173/week @ 2025-06-09 209/week @ 2025-06-16 166/week @ 2025-06-23 351/week @ 2025-06-30 187/week @ 2025-07-07

940 downloads per month
Used in 2 crates

MIT license

36KB
630 lines

pentacle is a library for executing programs as sealed anonymous files on Linux, using memfd_create(2).

This is useful for executing programs that execute untrusted programs with root permissions, or ensuring a cryptographically-verified program is not tampered with after verification but before execution.

The library provides a wrapper around Command as well as two helper functions, ensure_sealed and is_sealed, for programs that execute sealed versions of themselves.

fn main() {
    pentacle::ensure_sealed().unwrap();

    // The rest of your code
}

Lower-level control over the creation and sealing of anonymous files is available via SealOptions.

pentacle

pentacle is a library for executing programs as sealed anonymous files on Linux, using memfd_create(2). It also has a lower-level interface for creating and sealing anonymous files with various flags.

This is useful for executing programs that execute untrusted programs with root permissions, or ensuring a cryptographically-verified program is not tampered with after verification but before execution.

This library is based on runc's cloned_binary.c.

Dependencies

~135KB