From 5ba657dfc7733d9a6d4aa6217676d67096001e37 Mon Sep 17 00:00:00 2001
From: guochao <guochao@cn.nutstore.net>
Date: Wed, 1 Nov 2023 21:56:16 +0800
Subject: [PATCH] improve sandbox

---
 src/main.rs | 30 ++++++++++++++++++++----------
 1 file changed, 20 insertions(+), 10 deletions(-)

diff --git a/src/main.rs b/src/main.rs
index 0bf1d5c..d4bd757 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -1,13 +1,12 @@
 use nix::{
     libc::{c_long, EPERM, ORIG_RAX},
-    sys::signal::Signal,
     unistd::{getpid, getppid},
 };
+use std::io::Write;
 use std::{
     ffi::{c_void, CString},
     mem::size_of,
 };
-use std::io::Write;
 
 use clap::*;
 
@@ -29,7 +28,6 @@ fn main() -> anyhow::Result<()> {
 
     log::trace!("args parsed: {args:?}");
 
-
     #[cfg(feature = "tracing-mode")]
     let tracing = args.log_failed_to != None;
 
@@ -56,7 +54,12 @@ fn main() -> anyhow::Result<()> {
             log::trace!("waiting for child to be ready...");
             waitpid(child, None)?;
 
-            let mut output = match std::fs::OpenOptions::new().append(true).write(true).create(true).open(log_fail_to) {
+            let mut output = match std::fs::OpenOptions::new()
+                .append(true)
+                .write(true)
+                .create(true)
+                .open(log_fail_to)
+            {
                 Ok(file) => file,
                 Err(err) => {
                     nix::sys::ptrace::kill(child)?;
@@ -74,20 +77,24 @@ fn main() -> anyhow::Result<()> {
                         log::info!("child {pid} exited with return code {ret}");
                         break;
                     }
-                    WaitStatus::PtraceEvent(pid, sig,_) => {
+                    WaitStatus::PtraceEvent(pid, sig, _) => {
                         let syscall_nr = nix::sys::ptrace::read_user(
                             pid,
                             (size_of::<c_long>() * ORIG_RAX as usize) as *mut c_void,
                         )? as i32;
                         let syscall = ScmpSyscall::from(syscall_nr);
-                        let syscall_name = syscall.get_name().unwrap_or(format!("syscall({syscall_nr})"));
+                        let syscall_name = syscall
+                            .get_name()
+                            .unwrap_or(format!("syscall({syscall_nr})"));
                         log::info!("parent: child {pid} received signal {sig:?} syscall: {syscall_name}({syscall_nr})");
 
-                        writeln!(output, "{} {}", pid.as_raw(), syscall_name);
+                        if let Err(err) = writeln!(output, "{} {}", pid.as_raw(), syscall_name) {
+                            log::warn!("failed to write to output file: {err}")
+                        }
                     }
-                    _ => {},
+                    _ => {}
                 }
-                nix::sys::ptrace::cont(child, None);
+                nix::sys::ptrace::cont(child, None)?;
             }
             return Ok(());
         }
@@ -126,7 +133,10 @@ fn main() -> anyhow::Result<()> {
     log::trace!("create filter context...");
     let mut filter = ScmpFilterContext::new_filter(default_action)?;
 
-    filter.add_rule(ScmpAction::Allow, ScmpSyscall::from(nix::libc::SYS_execve as i32))?;
+    filter.add_rule(
+        ScmpAction::Allow,
+        ScmpSyscall::from(nix::libc::SYS_execve as i32),
+    )?;
 
     x2t_sandbox_rulegen::generate! {
         log::trace!("accepting {}({})", syscall_name, syscall_nr);