restrict 0.2.1

A crate to allow, deny, or trace Linux syscalls with an ergonomic, auto-generated enum customized for your system architecture.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

use std::fs;

use restrict::{policy::Policy, TraceAction, *};

fn main() -> Result<(), SeccompError> {
    println!("This process will be killed at the end!");

    let mut filter = Policy::allow_all()?.verbose(true);
    // filter.allow(Syscall::Write);
    // filter.allow(Syscall::Openat);
    // filter.allow(Syscall::Sigaltstack);
    // filter.allow(Syscall::Munmap);

    filter.trace(policy::Syscall::Openat, |syscall| {
        println!("Syscall {:?} triggered", syscall);
        return TraceAction::Continue;
    });
    filter.trace(policy::Syscall::Write, |syscall| {
        println!("Syscall {:?} triggered [this is a custom handler]", syscall);
        return TraceAction::Continue;
    });

    filter.apply()?;

    // openat() syscall
    let _read_fs = fs::read("test.txt").unwrap();
    println!(
        "The current proccess should be killed before this is displayed because this uses openat() syscall"
    );
    Ok(())
}