Crates.io | bevy_mod_lockdown |
lib.rs | bevy_mod_lockdown |
version | |
source | src |
created_at | 2024-04-21 13:50:23.233673 |
updated_at | 2024-11-30 14:12:53.272978 |
description | bevy_mod_lockdown is a library to reduce the attack surface your application offers. |
homepage | https://github.com/FrTerstappen/bevy_mod_lockdown |
repository | https://github.com/FrTerstappen/bevy_mod_lockdown |
max_upload_size | |
id | 1215404 |
Cargo.toml error: | TOML parse error at line 20, column 1 | 20 | autolib = false | ^^^^^^^ unknown field `autolib`, expected one of `name`, `version`, `edition`, `authors`, `description`, `readme`, `license`, `repository`, `homepage`, `documentation`, `build`, `resolver`, `links`, `default-run`, `default_dash_run`, `rust-version`, `rust_dash_version`, `rust_version`, `license-file`, `license_dash_file`, `license_file`, `licenseFile`, `license_capital_file`, `forced-target`, `forced_dash_target`, `autobins`, `autotests`, `autoexamples`, `autobenches`, `publish`, `metadata`, `keywords`, `categories`, `exclude`, `include` |
size | 0 |
bevy_mod_lockdown is a library to reduce the attack surface your application offers.
[!WARNING]
This plugin is in a very early stage of development.
Expect major changes to the contained features and to the api of existing features.
[!NOTE]
This repository is open for additional features and the expansion of existing features to other platforms.
It is currently limited to the features I use in my personal project and the platforms I have available.
bevy_mod_lockdown offers ways to reduce the attack surface your application offers. It can for example disable network usage or limit file system access to specific directories. This is mainly intended for applications that load third-party code but can also help in other situations.
This plugin also offers some Resources
to check the status of the "lockdown".
This allows the application to e.g. terminate if it was unable to disable network access.
See this chapter for more information.
[!WARNING]
This does only reduce the attack surface and does not make running unknown code safe.
It is recommended to ensure the application is already safe without the usage of bevy_mod_lockdown.
The resource LockdownAdjustments
can be used to check the status of the adjustments.
The features each add a field to the resource that matches the feature name.
These fields are enums with variants describing the current status.
To be as modular as possible this library has most of its functionality gated behind separate features.
None of those features are enable by default.
You need to enable some features for this library to be useful.
You can see the availability of features and their inclusion in full_speed in this table.
[!NOTE] By default only the feature
feature_warning
is enabled which logs a warning when no other feature is enabled.
The features described here are independent of the used platform.
egui
Adds a convenience method to display the LockdownAdjustments
with egui.
See the egui
example for usage.
Run the example with cargo run --example egui --features="egui"
.
Include other features to see something beside the warning.
Feature support on different platform:
Linux | Windows | |
---|---|---|
filesystem |
:white_check_mark: | :grey_question: |
network |
:grey_question: | :grey_question: |
privilege |
:white_check_mark: | :white_check_mark: |
system_call |
:grey_question: | :grey_question: |
Legend:
:grey_question: = To be evaluated
:white_square_button: = Not yet implemented
:white_check_mark: = Implemented
:negative_squared_cross_mark: = Feature not supported on this platform
[!NOTE]
Features enabled on a platform they do not support do nothing1.
filesystem
Restricts access to the filesystem, blocking access to all not explicitly allowed paths.
Use the resource AllowedFilesystemAccess
to adjust which path are allowed to be read and or written.
By default this already includes the paths needed for bevy on the current platform.
This happens in Startup
which means that full access to the file system is still possible in PreStartup
and partly in Startup
.
[!NOTE]
You probably need to add at least the paths for your configuration and save game for your game to work as expected.
Currently only implemented on linux. Where it uses landlock and requires a kernel with support for it.
network
Not yet implemented for any platform.
privilege
Reduces the privilege granted to the application.
This happens in PostStartup
which means that elevated privileges are still available in PreStartup
, Startup
and partly in PostStartup
.
system_call
Not yet implemented for any platform.
Include the library in your project by adding it to your Cargo.toml
.
[dependencies]
bevy = "0.14.0"
bevy_mod_lockdown = "0.3.0"
Then add the LockdownPlugin
to your app like shown below.
use bevy::prelude::*;
use bevy_mod_lockdown::LockdownPlugin;
fn main(){
App::new()
.add_plugins(LockdownPlugin)
.run();
}
Contributions are welcome. For larger changes please open a issue first.
Unless explicitly stated otherwise, any contribution submitted to this project shall be dual licensed under the MIT License and Apache License, Version 2.0, without any additional terms or conditions.
All code in this repository is dual-licensed under either:
bevy | bevy_mod_lockdown |
---|---|
0.15.0 | 0.5.0 |
0.14.1 | 0.4.0 |
0.14.0 | 0.3.0 |
0.13.1 | 0.1.0 - 0.2.0 |
Beside a log entry in some cases. ↩