restrict 0.2.1

A crate to allow, deny, or trace Linux syscalls with an ergonomic, auto-generated enum customized for your system architecture.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

//! Example: Printing logs using tracing_subscriber
//!
//! Usage:
//! ```bash
//! cargo run --example exammple_logs --features logging
//! ```
use std::fs;

use restrict::{
    policy::{self, Policy, Syscall},
    SeccompError, TraceAction,
};
use tracing_subscriber::fmt;

fn main() -> Result<(), SeccompError> {
    //init the subscriber
    let _subscriber = fmt::Subscriber::builder()
        .with_writer(std::io::stderr)
        .with_thread_ids(true)
        .compact()
        .init();

    let mut policy = Policy::allow_all()?;
    policy.deny(Syscall::Munmap);
    policy.deny(Syscall::ExitGroup);
    policy.trace(policy::Syscall::Openat, |syscall| {
        println!("Syscall {:?} triggered", syscall);
        return TraceAction::Continue;
    });

    // apply
    policy.apply()?;
    let open_file = fs::File::open("test.txt");
    println!("Opened file {:?}", open_file);
    Ok(())
}