Crates.io | libscmp |
lib.rs | libscmp |
version | 0.2.0 |
source | src |
created_at | 2020-11-25 14:26:36.511162 |
updated_at | 2021-06-05 20:31:42.516078 |
description | A safe, sane Rust interface to libseccomp on Linux. |
homepage | |
repository | https://github.com/cptpcrd/libscmp |
max_upload_size | |
id | 316303 |
size | 78,150 |
A safe, sane Rust interface to libseccomp
on Linux.
Note: This is not a high-level interface; most functions/methods in this library directly correspond to a libseccomp
function. However, this library provides a sane, usable interface to libseccomp
, something that seems to be lacking.
libseccomp
By default, libscmp
supports libseccomp v2.3.0+. Enabling the libseccomp-2-4
feature enables support for libseccomp v2.4.0+ APIs (and also tells libscmp
that it can assume it will never run against a version of libseccomp prior to v2.4.0). The libseccomp-2-5
feature works similarly (and implies libseccomp-2-4
).
libscmp
assumes that the minimum version as specified by the feature flags is correct. For example, if the libseccomp-2-4
feature is specified, libscmp
may perform optimizations by assuming that features added in libseccomp v2.4.0 are present, rather than explicitly probing for them. However, it does NOT check the version of libseccomp
that actually gets loaded at runtime to see if this is correct.
This is unlikely to cause any serious issues, and in most cases everything will be fine. However, if you cannot guarantee that the correct version of libseccomp
will always be loaded (for example, if you are distributing compiled binaries that end users may download and run on older systems), it is recommended to check libseccomp_version()
like so: assert!(libscmp::libseccomp_version() >= (2, 4, 0));
.
To build a crate that depends on libscmp
, you need libseccomp
installed :-). You may need to install the "development" libseccomp
package (for example, libseccomp-dev
on Debian/Ubuntu) so that it can be found properly.
Building this crate against musl libc is tricky, because you need to have a statically-linked version of libseccomp
installed that was compiled against musl. This usually means you have to either build libseccomp
manually (!) or use a musl-based distribution that provides a statically-linked libseccomp
.
Here's a proof of concept for building against musl using an Alpine Linux Docker container. In most cases you'd want to create a separate Docker image with the dependencies installed (and then switch users when actually compiling), but this illustrates the process:
docker run -v $PWD:/src --rm alpine:latest sh -c '
set -e
apk add libseccomp-static gcc
wget -O- https://sh.rustup.rs | sh /dev/stdin -y --default-host x86_64-unknown-linux-musl --default-toolchain stable
source $HOME/.cargo/env
cd /src
export RUSTFLAGS="-L /usr/lib"
cargo build
'