public/seccomp-sandbox
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update readme

Browse Source
This commit is contained in:
guochao 2023-11-02 10:05:34 +08:00
parent b38406c785
commit 6ba7dc8a41
1 changed files with 9 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
README.md
View File

@ -16,11 +16,6 @@ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
cargo build cargo build
``` ```
### Run
```
cargo run
```
### Generate syscalls with strace ### Generate syscalls with strace
@ -33,13 +28,21 @@ strace -f --output x2t-syscalls.txt /path/to/x2t some.xml
cargo 开启 tracing-mode 后,宏找不到环境变量和文件不会失败,可以直接生成一个。 cargo 开启 tracing-mode 后,宏找不到环境变量和文件不会失败,可以直接生成一个。
``` ```
RUST_LOG=trace cargo run --features tracing-mode -- -l x2t-syscalls.txt /path/to/x2t some.xml cargo build --features tracing-mode
RUST_LOG=trace ./target/debug/x2t-sandbox -- -l x2t-syscalls.txt /path/to/x2t some.xml
cat x2t-syscalls.txt | sort | uniq | sponge x2t-syscalls.txt cat x2t-syscalls.txt | sort | uniq | sponge x2t-syscalls.txt
cargo build cargo build
``` ```
更新 syscall 列表后重新构建二进制会生成新的 sandbox。 更新 syscall 列表后重新构建二进制会生成新的 sandbox。
### Run
```
./target/debug/x2t-sandbox /path/to/x2t some.xml
```
## 项目结构 ## 项目结构
- [项目](/) - [项目](/)
@ -51,12 +54,6 @@ cargo build
- .envrc: 如果不适用nix注释掉或者 direnv block 一下不加载就行 - .envrc: 如果不适用nix注释掉或者 direnv block 一下不加载就行
- .gitignore - .gitignore
## TODOs
- 看看怎么样对特定的 syscall 限制参数,尤其是
- execve
- prctl
## 比较相近的项目 ## 比较相近的项目
- [cloudflare/sandbox](https://github.com/cloudflare/sandbox): cloudflare/sandbox 在运行时配置规则,我们是在构建时配置规则 - [cloudflare/sandbox](https://github.com/cloudflare/sandbox): cloudflare/sandbox 在运行时配置规则,我们是在构建时配置规则