libwaive
A library that allows processes to waive their rights
MIT License
| () |___ ____ ()_ _____ | | | '_ \ \ /\ / / ` | \ \ / / _ | | | |) \ V V / (| | |\ V / __/ |||./ _/_/ _,|_| _/ _|
Overview
libwaive is a tiny library that provides waive(), a function that allows a process to waive its right to perform certain actions (e.g. open a file).
It is inspired by Theo de Raadt's tame() system call (http://article.gmane.org/gmane.os.openbsd.tech/43085) and uses libseccomp (https://github.com/seccomp/libseccomp) and cmake (https://cmake.org).
Building
libwaive can be built with either CMake (https://www.cmake.org/) or GNU Make (https://www.gnu.org/software/make/), with some limitations.
To build, simply run the following commands:
$ mkdir build $ cd build $ cmake .. $ make $ sudo make install
or:
$ make $ sudo make install
Limitations
libwaive has three major shortcomings:
- It has to be updated when new system calls are introduced.
- When built against older kernel headers, libwaive won't block newer system
calls present in the kernel it actually runs on, because detection is done
at build-time. - Due to limitations of libseccomp's API, libwaive cannot check the
parameters of system calls that accept pointers (e.g. socketcall).
Therefore, it is recommended to use WAIVE_SOCKET rather than WAIVE_INET,
WAIVE_UN or WAIVE_PACKET, if possible.
Credits and Legal Information
libwaive is free and unencumbered software released under the terms of the MIT license; see COPYING for the license text. For a list of its authors and contributors, see AUTHORS.
The ASCII art logo at the top was made using FIGlet (http://www.figlet.org/).