Crates.io | libseccomp |
lib.rs | libseccomp |
version | 0.3.0 |
source | src |
created_at | 2021-04-18 17:39:11.205633 |
updated_at | 2022-10-01 04:26:15.651617 |
description | Rust Language Bindings for the libseccomp Library |
homepage | |
repository | https://github.com/libseccomp-rs/libseccomp-rs |
max_upload_size | |
id | 386238 |
size | 280,987 |
Rust Language Bindings for the libseccomp Library
The libseccomp library provides an easy to use, platform independent, interface to the Linux Kernel's syscall filtering mechanism. The libseccomp API is designed to abstract away the underlying BPF based syscall filter language and present a more conventional function-call based filtering interface that should be familiar to, and easily adopted by, application developers.
The libseccomp-rs provides a Rust based interface to the libseccomp library. This repository contains libseccomp and libseccomp-sys crates that enable developers to use the libseccomp API in Rust.
Create and load a single seccomp rule:
use libseccomp::*;
fn main() -> Result<(), Box<dyn std::error::Error>> {
// Creates and returns a new filter context.
let mut filter = ScmpFilterContext::new_filter(ScmpAction::Allow)?;
// Adds an architecture to the filter.
filter.add_arch(ScmpArch::X8664)?;
// Returns the number of a syscall by name.
let syscall = ScmpSyscall::from_name("dup3")?;
// Adds a single rule for an unconditional action on the syscall.
filter.add_rule(ScmpAction::Errno(10), syscall)?;
// Loads the filter context into the kernel.
filter.load()?;
// The dup3 fails by the seccomp rule.
assert_eq!(
unsafe { libc::dup3(0, 100, libc::O_CLOEXEC) } as i32,
-libc::EPERM
);
assert_eq!(std::io::Error::last_os_error().raw_os_error().unwrap(), 10);
Ok(())
}
Before using the libseccomp crate, you need to install the libseccomp library for your system. The libseccomp library version 2.4 or newer is required.
e.g. Debian-based Linux
$ sudo apt install libseccomp-dev
If you want to build the libseccomp library from an official release tarball instead of the package, you should follow the quick step.
$ LIBSECCOMP_VERSION=2.5.3
$ wget https://github.com/seccomp/libseccomp/releases/download/v${LIBSECCOMP_VERSION}/libseccomp-${LIBSECCOMP_VERSION}.tar.gz
$ tar xvf libseccomp-${LIBSECCOMP_VERSION}.tar.gz
$ cd libseccomp-${LIBSECCOMP_VERSION}
$ ./configure
$ make
$ sudo make install
For more details, see the libseccomp library repository.
If you use the libseccomp crate with dynamically linked the libseccomp library, you do not need additional settings.
However, if you want to use the libseccomp crate against musl-libc with statically linked the libseccomp library,
you have to set the LIBSECCOMP_LINK_TYPE
and LIBSECCOMP_LIB_PATH
environment variables as follows.
$ export LIBSECCOMP_LINK_TYPE=static
$ export LIBSECCOMP_LIB_PATH="the path of the directory containing libseccomp.a (e.g. /usr/lib)"
Note: To build the libseccomp crate against musl-libc, you need to build the libseccomp library manually for musl-libc or use a musl-based distribution that provides a package for the statically-linked libseccomp library
Now, add the following to your Cargo.toml
to start building the libseccomp crate.
[dependencies]
libseccomp = "0.3.0"
The libseccomp crate provides a number of unit tests. If you want to run the standard regression tests, you can execute the following command.
$ make test
Anyone is welcome to join and contribute code, documentation, and use cases.
For details on how to contribute to the libseccomp-rs project, please see the contributing document.
This crate is licensed under:
at your option.
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in libseccomp-rs by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.