public/seccomp-sandbox
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request 'WS-207807 # fix unused imports' (#1) from guochao/x2t-sandbox:master into master

Browse Source 
Reviewed-on: https://gitea.jianguoyun.net.cn/nutstore-onlyoffice/x2t-sandbox/pulls/1
Reviewed-by: huangqingming <huangqingming@noreply.localhost>
This commit is contained in:
huangqingming 2024-01-19 09:14:19 +08:00
commit a61b6721cd
2 changed files with 55 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
flake.nix
View File

@ -10,69 +10,54 @@
let let
systems = [ "x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin" ]; systems = [ "x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin" ];
foreachSystem = nixpkgs.lib.genAttrs systems; foreachSystem = nixpkgs.lib.genAttrs systems;
buildTools = pkgs: with pkgs; [
pkg-config # hooks pc files into environment variable for futher usage
];
developmentTools = pkgs: with pkgs; [
cargo-expand
];
libraries = pkgs: with pkgs; [
libseccomp
];
buildRustPlatform = pkgs: with fenix.packages."${pkgs.stdenv.system}"; let toolchain = combine [ complete.toolchain targets."x86_64-unknown-linux-musl".latest.rust-std ]; in pkgs.makeRustPlatform {
cargo = toolchain;
rustc = toolchain;
};
buildWithPackages = pkgs: pkgsStatic: features: (buildRustPlatform pkgsStatic).buildRustPackage rec {
pname = "x2t-sandbox";
version = "1.0.0";
nativeBuildInputs = buildTools pkgs;
buildInputs = libraries pkgsStatic;
buildFeatures = features;
src = ./.;
cargoLock = {
lockFile = ./Cargo.lock;
};
meta = with nixpkgs.lib; {
description = "seccomp sandbox with rules defined at build stage";
homepage = "https://gitea.jianguoyun.net.cn/guochao/x2t-sandbox";
license = licenses.unlicense;
maintainers = [ ];
};
};
in in
rec { rec {
packages = foreachSystem (system: packages = foreachSystem (system:
let let
pkgs = import nixpkgs { inherit system; }; pkgs = import nixpkgs { inherit system; };
rustPlatform = pkgs.makeRustPlatform {
cargo = fenix.packages."${pkgs.stdenv.system}".complete.toolchain;
rustc = fenix.packages."${pkgs.stdenv.system}".complete.toolchain;
};
buildTools = with pkgs; [ pkg-config ];
libraries = with pkgs; [ libseccomp ];
in in
rec { rec {
x2t-sandbox-static = buildWithPackages pkgs pkgs.pkgsStatic []; x2t-sandbox = rustPlatform.buildRustPackage rec {
x2t-sandbox-static-tracing-mode = buildWithPackages pkgs pkgs.pkgsStatic ["tracing-mode"]; pname = "x2t-sandbox";
version = "1.0.0";
x2t-sandbox = buildWithPackages pkgs pkgs []; nativeBuildInputs = buildTools;
buildInputs = libraries;
default = x2t-sandbox-static; src = ./.;
cargoLock = {
lockFile = ./Cargo.lock;
};
meta = with nixpkgs.lib; {
description = "seccomp sandbox with rules defined at build stage";
homepage = "https://gitea.jianguoyun.net.cn/guochao/x2t-sandbox";
license = licenses.unlicense;
maintainers = [ ];
};
};
default = x2t-sandbox;
}); });
devShells = foreachSystem devShells = foreachSystem
(system: (system:
let let
pkgs = import nixpkgs { inherit system; }; pkgs = import nixpkgs { inherit system; };
developmentTools = with pkgs; [
cargo-expand
];
in in
with pkgs; rec { with pkgs; rec {
default = packages."${system}".default.overrideAttrs (prevAttrs: { default = packages."${system}".default.overrideAttrs (prevAttrs: {
nativeBuildInputs = prevAttrs.nativeBuildInputs ++ (with fenix.packages."${system}".combine; with fenix.packages."${system}"; with pkgs; [ nativeBuildInputs = prevAttrs.nativeBuildInputs ++ (with fenix.packages."${system}".complete; [ rust-analyzer rust-src ]) ++ developmentTools;
complete.rust-analyzer
complete.rust-src
]) ++ (developmentTools pkgs);
}); });
}); });
}; };

35
src/main.rs
View File

@ -1,28 +1,36 @@
#[cfg(feature = "tracing-mode")]
use nix::{ use nix::{
libc::{c_long, EPERM, ORIG_RAX}, libc::{c_long, ORIG_RAX},
sys::stat::Mode,
unistd::{getpid, getppid, Pid}, unistd::{getpid, getppid, Pid},
}; };
use std::io::Write; #[cfg(feature = "tracing-mode")]
use std::{ use std::{ffi::c_void, io::Write, mem::size_of};
ffi::{c_void, CString},
mem::size_of, use nix::{libc::EPERM, sys::stat::Mode};
}; use std::ffi::CString;
use clap::*; use clap::*;
use libseccomp::*; use libseccomp::*;
#[derive(clap::Parser, Debug)] #[cfg(not(feature = "tracing-mode"))]
#[derive(Parser, Debug)]
struct Args { struct Args {
#[cfg(feature = "tracing-mode")]
#[clap(short, long)]
log_failed_to: Option<String>,
#[clap(required = true)] #[clap(required = true)]
command: Vec<String>, command: Vec<String>,
} }
#[cfg(feature = "tracing-mode")]
#[derive(Parser, Debug)]
struct Args {
#[clap(required = true)]
command: Vec<String>,
#[clap(short, long)]
log_failed_to: Option<String>,
}
fn main() -> anyhow::Result<()> { fn main() -> anyhow::Result<()> {
env_logger::init(); env_logger::init();
@ -33,7 +41,10 @@ fn main() -> anyhow::Result<()> {
#[cfg(feature = "tracing-mode")] #[cfg(feature = "tracing-mode")]
let tracing = args.log_failed_to != None; let tracing = args.log_failed_to != None;
#[cfg(feature = "tracing-mode")]
let mut default_action = ScmpAction::Errno(EPERM); let mut default_action = ScmpAction::Errno(EPERM);
#[cfg(not(feature = "tracing-mode"))]
let default_action = ScmpAction::Errno(EPERM);
#[cfg(feature = "tracing-mode")] #[cfg(feature = "tracing-mode")]
if let Some(log_fail_to) = args.log_failed_to { if let Some(log_fail_to) = args.log_failed_to {