diff --git a/Cargo.toml b/Cargo.toml
index b8574490..d72914a8 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -16,3 +16,18 @@ debug = true
 codegen-units = 1
 inherits = "release"
 lto = "yes"
+
+[workspace.lints.rust]
+# Require an extra opt-in for unsafe
+unsafe_code = "deny"
+# Absolutely must handle errors
+unused_must_use = "forbid"
+
+[workspace.lints.clippy]
+# These should only be in local code
+dbg_macro = "deny"
+todo = "deny"
+# These two are in my experience the lints which are most likely
+# to trigger, and among the least valuable to fix.
+needless_borrow = "allow"
+needless_borrows_for_generic_args = "allow"
diff --git a/rust/composefs-sys/Cargo.toml b/rust/composefs-sys/Cargo.toml
index bda05ecf..d2b2db6e 100644
--- a/rust/composefs-sys/Cargo.toml
+++ b/rust/composefs-sys/Cargo.toml
@@ -23,3 +23,6 @@ system-deps = "6"
 [dev-dependencies]
 anyhow = "1"
 tempfile = "3"
+
+[lints]
+workspace = true
diff --git a/rust/composefs-sys/src/lib.rs b/rust/composefs-sys/src/lib.rs
index 95ce90eb..fdf4b867 100644
--- a/rust/composefs-sys/src/lib.rs
+++ b/rust/composefs-sys/src/lib.rs
@@ -30,6 +30,7 @@ mod tests {
 
     #[test]
     #[cfg(feature = "v1_0_4")]
+    #[allow(unsafe_code)]
     fn test_fd_enable_fsverity() -> Result<()> {
         // We can't require fsverity in our test suite, so just verify we can call the
         // function.
@@ -41,22 +42,21 @@ mod tests {
     }
 
     #[test]
+    #[allow(unsafe_code)]
     fn test_digest() -> Result<()> {
-        unsafe {
-            let mut tf = tempfile::tempfile()?;
-            tf.write_all(b"hello world")?;
-            let mut buf = [0u8; LCFS_SHA256_DIGEST_LEN];
-            tf.seek(std::io::SeekFrom::Start(0))?;
-            let r = lcfs_compute_fsverity_from_fd(buf.as_mut_ptr(), tf.as_raw_fd());
-            assert_eq!(r, 0);
-            assert_eq!(
-                buf,
-                [
-                    30, 46, 170, 66, 2, 215, 80, 164, 17, 116, 238, 69, 73, 112, 185, 44, 27, 194,
-                    249, 37, 177, 227, 80, 118, 216, 199, 213, 245, 99, 98, 186, 100
-                ]
-            );
-            Ok(())
-        }
+        let mut tf = tempfile::tempfile()?;
+        tf.write_all(b"hello world")?;
+        let mut buf = [0u8; LCFS_SHA256_DIGEST_LEN];
+        tf.seek(std::io::SeekFrom::Start(0))?;
+        let r = unsafe { lcfs_compute_fsverity_from_fd(buf.as_mut_ptr(), tf.as_raw_fd()) };
+        assert_eq!(r, 0);
+        assert_eq!(
+            buf,
+            [
+                30, 46, 170, 66, 2, 215, 80, 164, 17, 116, 238, 69, 73, 112, 185, 44, 27, 194, 249,
+                37, 177, 227, 80, 118, 216, 199, 213, 245, 99, 98, 186, 100
+            ]
+        );
+        Ok(())
     }
 }
diff --git a/rust/composefs/Cargo.toml b/rust/composefs/Cargo.toml
index fdf3fbf5..638f18ce 100644
--- a/rust/composefs/Cargo.toml
+++ b/rust/composefs/Cargo.toml
@@ -25,3 +25,6 @@ composefs-sys = { version = "0.1.0", path = "../composefs-sys" }
 [dev-dependencies]
 tar = "0.4.38"
 tempfile = "3.2.0"
+
+[lints]
+workspace = true
diff --git a/rust/composefs/src/lib.rs b/rust/composefs/src/lib.rs
index 620f9202..bdc59b19 100644
--- a/rust/composefs/src/lib.rs
+++ b/rust/composefs/src/lib.rs
@@ -7,14 +7,6 @@
 //! The core functionality exposed at the moment is just support for creating
 //! and parsing composefs "superblock" entries.
 
-// See https://doc.rust-lang.org/rustc/lints/listing/allowed-by-default.html
-#![deny(missing_docs)]
-#![deny(missing_debug_implementations)]
-#![forbid(unused_must_use)]
-#![deny(unsafe_code)]
-#![deny(clippy::dbg_macro)]
-#![deny(clippy::todo)]
-
 use std::{
     fs::File,
     io::{BufRead, BufReader},