evalbox_sys/lib.rs
1//! Low-level Linux syscall wrappers for sandboxing.
2//!
3//! This crate provides thin wrappers around Linux-specific security syscalls
4//! that are not available in rustix or libc. For standard syscalls, use rustix.
5//!
6//! ## Modules
7//!
8//! - **landlock** - Landlock LSM for filesystem/network/scope access control (kernel 5.13+)
9//! - **seccomp** - Seccomp-BPF syscall filtering
10//! - **`seccomp_notify`** - Seccomp user notification (`SECCOMP_RET_USER_NOTIF`)
11//! - **check** - Runtime system capability detection
12//!
13//! ## Landlock
14//!
15//! Landlock provides fine-grained filesystem access control. ABI versions:
16//! - ABI 1: Basic filesystem access (kernel 5.13)
17//! - ABI 2: File truncation (kernel 5.19)
18//! - ABI 3: File permission changes (kernel 6.2)
19//! - ABI 4: Network TCP access control (kernel 6.7)
20//! - ABI 5: Scoped signals and abstract unix sockets (kernel 6.12)
21//!
22//! ## Seccomp-BPF
23//!
24//! Seccomp-BPF allows filtering syscalls via BPF programs. This crate provides
25//! a whitelist-based filter that allows ~40 safe syscalls and kills the process
26//! on any other syscall.
27//!
28//! ## Seccomp User Notify
29//!
30//! Seccomp user notification allows a supervisor process to intercept syscalls
31//! from a sandboxed child, enabling filesystem virtualization without namespaces.
32//!
33//! # Safety
34//!
35//! This crate contains raw syscall wrappers. Casts between integer types
36//! are unavoidable when interfacing with the kernel ABI.
37
38#![allow(clippy::cast_possible_truncation)]
39#![allow(clippy::cast_sign_loss)]
40
41pub mod check;
42pub mod landlock;
43pub mod seccomp;
44pub mod seccomp_notify;
45
46pub use check::{CheckError, SystemInfo, check};
47
48#[inline]
49pub fn last_errno() -> rustix::io::Errno {
50 // SAFETY: __errno_location always returns valid thread-local pointer.
51 rustix::io::Errno::from_raw_os_error(unsafe { *libc::__errno_location() })
52}