vtcode-process-hardening 0.59.2

Process hardening and security measures for VT Code
Documentation

vtcode-process-hardening

This crate provides pre_main_hardening(), which is designed to be called pre-main() (using #[ctor::ctor]) to perform various process hardening steps, such as:

  • disabling core dumps
  • disabling ptrace attach on Linux and macOS
  • removing dangerous environment variables such as LD_PRELOAD and DYLD_*

Usage

Add to your binary's Cargo.toml:

[dependencies]
ctor = "0.2"
vtcode-process-hardening = { path = "../vtcode-process-hardening" }

In your main.rs:

#[ctor::ctor]
fn init() {
    vtcode_process_hardening::pre_main_hardening();
}

fn main() {
    // Your code here
}

Security Hardening

Linux/Android

  • PR_SET_DUMPABLE: Prevents ptrace attachment and disables core dumps at the process level
  • RLIMIT_CORE: Sets core file size limit to 0 for defense in depth
  • LD_ removal*: Strips LD_PRELOAD and similar variables that could subvert library loading

macOS

  • PT_DENY_ATTACH: Prevents debugger attachment via the ptrace system call
  • RLIMIT_CORE: Disables core dumps
  • DYLD_ removal*: Removes dynamic linker environment variables that could compromise library loading

BSD (FreeBSD, OpenBSD)

  • RLIMIT_CORE: Sets core file size limit to 0
  • LD_ removal*: Strips dynamic linker variables

Notes

  • This crate calls unsafe libc functions but validates all return codes and exits cleanly on failure
  • Environment variable removal uses std::env::vars_os() to handle non-UTF-8 variable names correctly
  • On Windows, hardening is a placeholder for future implementation