tabox 1.3.6

A sandbox to execute a program in an isolated environment and measure its resource usage
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79

// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
// SPDX-License-Identifier: MPL-2.0

use std::ffi::CString;

use anyhow::bail;

use crate::syscall_filter::SyscallFilterAction;
use crate::util::strerror;
use crate::Result;

impl SyscallFilterAction {
    /// Transform the Action to the correct seccomp parameter
    fn to_seccomp_param(self) -> u32 {
        match self {
            SyscallFilterAction::Allow => seccomp_sys::SCMP_ACT_ALLOW,
            SyscallFilterAction::Kill => seccomp_sys::SCMP_ACT_KILL,
            SyscallFilterAction::Errno(errno) => seccomp_sys::SCMP_ACT_ERRNO(errno),
        }
    }
}

/// Wrapper of a libseccomp filter object
pub struct SeccompFilter {
    ctx: *mut seccomp_sys::scmp_filter_ctx,
}

impl SeccompFilter {
    /// Create a new filter
    pub fn new(default_action: SyscallFilterAction) -> Result<SeccompFilter> {
        let ctx = unsafe { seccomp_sys::seccomp_init(default_action.to_seccomp_param()) };
        if ctx.is_null() {
            bail!("seccomp_init() error: {}", strerror())
        } else {
            Ok(SeccompFilter { ctx })
        }
    }

    /// Allow a syscall
    pub fn filter(&mut self, name: &str, action: SyscallFilterAction) -> Result<()> {
        debug!("Add rule {} {:?}", name, action);
        let syscall_name = CString::new(name).unwrap();
        let syscall_num =
            unsafe { seccomp_sys::seccomp_syscall_resolve_name(syscall_name.as_ptr()) };
        if syscall_num == seccomp_sys::__NR_SCMP_ERROR {
            bail!(
                "Error calling seccomp_syscall_resolve_name: unknown system call: {}",
                name
            );
        }
        if unsafe {
            seccomp_sys::seccomp_rule_add(self.ctx, action.to_seccomp_param(), syscall_num, 0)
        } < 0
        {
            bail!("Error calling seccomp_rule_add(): {}", strerror())
        } else {
            Ok(())
        }
    }

    /// Load the specified filter
    pub fn load(&self) -> Result<()> {
        if unsafe { seccomp_sys::seccomp_load(self.ctx) } < 0 {
            bail!("Error calling seccomp_load(): {}", strerror())
        } else {
            Ok(())
        }
    }
}

impl Drop for SeccompFilter {
    fn drop(&mut self) {
        unsafe {
            seccomp_sys::seccomp_release(self.ctx);
        }
    }
}