A mruby gem to access libseccomp API
- add conf.gem line to
build_config.rb
MRuby::Build.new do |conf|
# ... (snip) ...
conf.gem :github => 'haconiwa/mruby-seccomp'
end
context = Seccomp.new(default: :kill) do |rule|
rule.allow(:open)
rule.allow(:close)
rule.allow(:read, Seccomp::ARG(:==, $stdin.fileno), Seccomp::ARG(:!=, 0x0), Seccomp::ARG(:<=, File::SSIZE_MAX))
# rule.kill(:open)
# rule.trap(:open) ...
end
context.allow(...) # if necessary out of block
context.load # to load context to current process
Process.fork do
# This process is also jailed
...
end
context.fork do
# This spawns a new process which is jailed
# but the parent process will be remain unloaded
end
context.reset(:allow) # to reset
mruby-seccomp
itself is under the MIT License:
- see LICENSE file
- Trapping SIGSYS and get
si_syscall
in the block