first commit

src/main.rs

@@ -0,0 +1,40 @@
+use std::{ffi::CString, ptr::null};
+
+use libseccomp::*;
+use nix::libc::EPERM;
+
+fn main() -> anyhow::Result<()> {
+    env_logger::init();
+
+    log::info!("restrict myself by set_no_new_privs...");
+    nix::sys::prctl::set_no_new_privs()?;
+
+    log::info!("create filter context...");
+
+    let mut filter = ScmpFilterContext::new_filter(ScmpAction::Errno(EPERM))?;
+
+    log::info!("add architecture to filter context...");
+    filter.add_arch(ScmpArch::X8664)?;
+
+    x2t_sandbox_rulegen::generate! {
+        log::info!("accepting {}", syscall_name);
+    };
+
+    log::info!("load filter into kernel...");
+    if let Err(err) = filter.load() {
+        log::error!("failed to load filter into kernel: {err}");
+        return Err(err.into());
+    }
+
+    let args: Vec<_> = std::env::args().map(|s| CString::new(s).unwrap()).collect();
+    let command = std::env::args().next().unwrap();
+    let command = CString::new(command).unwrap();
+    let env: Vec<CString> = Vec::new();
+
+    log::info!("executing {:?}", args);
+    if let Err(err) = nix::unistd::execve(&command, args.as_slice(), env.as_slice()) {
+        panic!("failed to execve for {err}");
+    }
+
+    panic!("unreachable");
+}