restrict 0.1.2

A DX-focused crate that lets you allow or deny Linux syscalls using an ergonomic, auto-generated enum tailored to your system architecture.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115

# restrict

**Ergonomic and DX-first Linux syscall filtering crate**

`restrict` offers a clean, expressive API to allow or deny syscalls on Linux. It generates a system-aware `Syscall` enum at build time and exposes a safe policy manager to configure syscall rules for your application.

---

## ✨ Features

- 🚀 **Auto-generated** `Syscall` enum tailored to your host architecture  
- 📝 **Ergonomic API**: `policy.allow(Syscall::Write)?;`  
- 🔒 **Safe wrapper**: no `unsafe` blocks or raw pointers  
- 🎛️ **Allow-by-default** or **deny-by-default** policy modes  
- 🔍 **Runtime inspection**: list allowed or killed syscalls  

---
## Prerequisites

You need `libseccomp-dev` installed in your Linux

```bash
sudo apt-get update && sudo apt-get install -y libseccomp-dev
```




## 🚀 Quickstart

>**`allow_all()` is the recommended default for most use cases to avoid unintentionally blocking essential syscalls.**

```rust
use restrict::{Policy, Syscall, Action};

fn main() -> Result<(), Box<dyn std::error::Error>> {
    // Start with all syscalls allowed
    let mut policy = Policy::allow_all()?; // recommended

    policy
        .deny(Syscall::Execve)?   // prevent process spawning
        .deny(Syscall::Ptrace)?   // prevent tracing/hijacking
        .apply()?;                // apply the final filter set

    // Your program continues safely here
    Ok(())
}
```

Or, for a stricter base policy:

```rust
use restrict::{Policy, Syscall};

fn main() -> Result<(), Box<dyn std::error::Error>> {

    let mut policy = Policy::deny_all()?;  
    policy
        .allow(Syscall::Read)?
        .allow(Syscall::Write)?
        .apply()?;  

    // only allow read and write
    Ok(())
}
```

## 🛠️ API Overview

- `Policy::allow_all()`
Starts with all syscalls allowed; then call `.deny(...)` for any you want to block.

- `Policy::deny_all()`
Starts with all syscalls denied; then call `.allow(...)` for any you need.

- `policy.allow(syscall: Syscall)``&mut Self`
Mark a syscall as allowed.

- `policy.deny(syscall: Syscall)``&mut Self`
Mark a syscall as killed.

- `policy.apply()``()`
Finalize and load all collected filters into the kernel.

- `policy.list_allowed_syscalls()` -> `Vec<Syscall>`
Retrieve the list of syscalls you’ve allowed(by `allow()`).

- `policy.list_killed_syscalls()` -> `Vec<Syscall>`
Retrieve the list of syscalls you’ve denied(by `deny()`).

## 📦 Generated Syscall Enum
During build, `restrict` parses your system headers (e.g. /usr/include/asm/unistd_64.h) and emits:
```rust
/// System call list generated from `/usr/include/asm/unistd_64.h`
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
pub enum Syscall {
    Read = 0,
    Write = 1,
    Open = 2,
    // … etc …
}
```

This ensures accuracy across architectures (x86_64, aarch64, etc.).
To override the header location:

```sh
SYSCALL_INCLUDE_DIR=/path/to/other/asm cargo build
```

## License

This project is licensed under the terms of the [MIT license](LICENSE).

See the [LICENSE](LICENSE) file for more details.