nim-seccomp

Nim adapter for the https://en.wikipedia.org/wiki/Seccomp[Seccomp sandbox] facility

image:https://img.shields.io/badge/status-beta-orange.svg[badge] image:https://img.shields.io/github/tag/FedericoCeratto/nim-seccomp.svg[tags] image:https://img.shields.io/badge/License-LGPL%20v3-blue.svg[License]

Features

• Provides a high-level adaptor in seccomp.nim
• Low-level wrapper in seccomp_lowlevel.nim
• Tested on Linux
• Basic tests

Installation

[source,bash]

sudo apt-get install libseccomp2 nimble install seccomp

Usage

Refer to the generated documentation for the link:https://federicoceratto.github.io/nim-seccomp/docs/0.1.0/seccomp.html[seccomp] and link:https://federicoceratto.github.io/nim-seccomp/docs/0.1.0/seccomp_lowlevel.html[seccomp_lowlevel] modules

[source,nim]

import seccomp

setSeccomp("write exit_group")

echo """Seccomp is now enabled. Future attempts to change the Seccomp configuration or to call forbidden system calls will cause the process to be terminated"""

e.g. createDir("/tmp/foo")

or: [source,nim]

import seccomp

let ctx = seccomp_ctx() ctx.add_rule(Allow, "write") ctx.add_rule(Allow, "exit_group") ctx.load()

https://github.com/FedericoCeratto/nim-seccomp/blob/master/tests/trigger_seccomp.nim[tests/trigger_seccomp.nim] contains running examples of syscalls that will be blocked

Contributing

Testing and PRs are welcome.

Running tests:

[source,bash]

nimble test nimble test_trigger_seccomp