-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathREADME
56 lines (42 loc) · 1.71 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
_ _ _ _
| (_) |____ ____ _(_)_ _____
| | | '_ \ \ /\ / / _` | \ \ / / _ \
| | | |_) \ V V / (_| | |\ V / __/
|_|_|_.__/ \_/\_/ \__,_|_| \_/ \___|
Overview
========
libwaive is a tiny library that provides waive(), a function that allows a
process to waive its right to perform certain actions (e.g. open a file).
It is inspired by Theo de Raadt's tame() system call
(http://article.gmane.org/gmane.os.openbsd.tech/43085) and uses libseccomp
(https://github.com/seccomp/libseccomp) and cmake (https://cmake.org).
Building
========
libwaive can be built with either CMake (https://www.cmake.org/) or GNU Make
(https://www.gnu.org/software/make/), with some limitations.
To build, simply run the following commands:
$ mkdir build
$ cd build
$ cmake ..
$ make
$ sudo make install
or:
$ make
$ sudo make install
Limitations
===========
libwaive has three major shortcomings:
1) It has to be updated when new system calls are introduced.
2) When built against older kernel headers, libwaive won't block newer system
calls present in the kernel it actually runs on, because detection is done
at build-time.
3) Due to limitations of libseccomp's API, libwaive cannot check the
parameters of system calls that accept pointers (e.g. socketcall).
Therefore, it is recommended to use WAIVE_SOCKET rather than WAIVE_INET,
WAIVE_UN or WAIVE_PACKET, if possible.
Credits and Legal Information
=============================
libwaive is free and unencumbered software released under the terms of the MIT
license; see COPYING for the license text. For a list of its authors and
contributors, see AUTHORS.
The ASCII art logo at the top was made using FIGlet (http://www.figlet.org/).