public/seccomp-sandbox
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix seccomp and add tracing-mode project feature

Browse Source
This commit is contained in:
guochao
2023-11-01 21:53:20 +08:00
parent 51064a503b
commit 3305f70f77
11 changed files with 298 additions and 1069 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
x2t-sandbox-rulegen/src/lib.rs
View File

@ -1,7 +1,7 @@
use std::{collections::HashSet, str::FromStr};
use proc_macro::*;
use quote::{quote, format_ident, TokenStreamExt};
use quote::{quote, format_ident};
#[proc_macro]
pub fn generate(input: TokenStream) -> TokenStream {
@ -15,7 +15,14 @@ pub fn generate(input: TokenStream) -> TokenStream {
} else if let Ok(syscalls) = std::fs::read_to_string(&syscall_filepath) {
generate_from(input.clone(), syscalls, "\n").into()
} else {
#[cfg(not(feature = "no-fail"))]
panic!("either specify a X2T_SYSCALLS environment variable with values seperated by colon or write the allowed syscalls line by line into {}", syscall_filepath.to_string_lossy());
#[cfg(feature = "no-fail")]
{
eprintln!("x2t syscalls not found. macro is not failing. but you program may fail. turn on tracing-mode to find out what happened");
TokenStream::new()
}
}
}
@ -50,7 +57,7 @@ fn generate_from(input: proc_macro::TokenStream, buf: String, sep: &str) -> proc
{
let syscall_nr = nix::libc::#libc_name;
let syscall_name = #syscall_name;
filter.add_rule_conditional(ScmpAction::Allow, syscall_nr as i32, &[])?;
filter.add_rule(ScmpAction::Allow, syscall_nr as i32)?;
#hook
}
}