Thanks to visit codestin.com
Credit goes to lib.rs

Lib.rs

Operating systemsUnix APIs | Development toolsDebugging
#seccomp #linux #ptrace #container #policy

bin+lib restrict

A crate to allow, deny, or trace Linux syscalls with an ergonomic, auto-generated enum customized for your system architecture

by x0rw

8 releases

0.2.1 Jun 30, 2025
0.2.0 Jun 22, 2025
0.1.5 May 14, 2025

#301 in Unix APIs

Codestin Search App

675 downloads per month

MIT license

66KB
1.5K SLoC

restrict

Crates.io Docs.rs License: MIT CI

restrict is an advanced Rust crate providing ergonomic and developer-friendly Linux syscall filtering.

It empowers you to precisely control, monitor, and even dynamically alter system calls at runtime through a clean, expressive API. With an auto-generated, system-aware Syscall enum and a robust policy manager, restrict offers built-in metrics, structured logging, and powerful interception hooks for advanced security and observability.

Features

  • Auto‑generated Syscall enum matched to your host architecture
  • Ergonomic API (e.g., policy.allow(Syscall::Write)?;)
  • Safe wrappers: all unsafe code is isolated in wrapper.rs
  • Dual policy modes: choose allow‑by‑default or deny‑by‑default
  • Interception hooks:
    • entry_intercept & exit_intercept — inspect, modify, or skip individual syscalls
    • Registers manipulation — read/write syscall arguments and return values
  • Built‑in metrics: Prometheus‑compatible counters, gauges, and histograms
  • Structured logging: plug into tracing_subscriber (or your own logger)

Prerequisites

On Linux, install the development headers for seccomp:

sudo apt-get update
sudo apt-get install -y libseccomp-dev

Examples

Check out the examples/ directory for runnable demos showcasing different features:

$ tree examples
examples
├── example_01_write.rs            # Simple write and open deny policy
├── example_02_openat.rs           # openat deny 
├── example_openat_errno.rs     # openat with custom errno
├── example_mul_tracing.rs      # Multiple syscall tracers
├── example_command.rs          # Execve sandbox
├── example_intercept.rs           # Write syscall Registers manipulation example
├── example_logs.rs                # Structured logging via tracing
├── prometheus_metrics.rs          # Prometheus metrics exporter example
└── truncate_filter.rs             # Truncate write() syscall demo similar to example_intercept

Quickstart

It’s usually safest to start with all syscalls permitted, then explicitly block the ones you don’t want:

use restrict::{Policy, Syscall};

fn main() -> Result<(), Box<dyn std::error::Error>> {
    // Begin with everything allowed
    let mut policy = Policy::allow_all()?;

    // Block process creation and tracing
    policy
        .deny(Syscall::Execve)
        .deny(Syscall::Ptrace)
        .apply()?;  // Load the final rule set into the kernel

    // Your program continues here with the policy enforced
    Ok(())
}

If you prefer blocked syscalls to return a specific errno instead of killing the process:

let mut policy = Policy::allow_all()?;
policy
    .fail_with(Syscall::Execve, 5)   // Execve returns errno 5 (EIO)
    .fail_with(Syscall::Ptrace, 5)
    .apply()?;

For a stricter default that denies everything except what you explicitly allow:

let mut policy = Policy::deny_all()?;
policy
    .allow(Syscall::Read)
    .allow(Syscall::Write)
    .apply()?;

To trace or log a syscall at runtime, register a handler:


let mut policy = Policy::allow_all()?;
policy
    .trace(Syscall::Openat, |syscall| {
        println!("Intercepted syscall: {:?}", syscall);
        TraceAction::Continue
    })
    .apply()?;

// Attempt to open a file; your handler will run first
let result = fs::File::open("test.txt");
println!("File open result: {:?}", result);

The handler must return either TraceAction::Continue (allow the syscall) or TraceAction::Kill (abort the process).

API Reference

  • Policy::allow_all() Start with every syscall allowed; use .deny(syscall) or .fail_with(syscall, errno) to restrict.

  • Policy::deny_all() Start with every syscall blocked; use .allow(syscall) to permit only what you need.

  • policy.allow(syscall: Syscall) Permit the specified syscall.

  • policy.deny(syscall: Syscall) Block the specified syscall, causing immediate process termination on invocation.

  • policy.fail_with(syscall: Syscall, errno: u16) Block the syscall but return the given errno instead of killing the process.

  • policy.trace(syscall: Syscall, handler: Fn(Syscall) -> TraceAction) Register a callback to run before the syscall; choose whether to continue or kill.

  • policy.apply() Compile and load your configured rules into the kernel.

Generated Syscall Enum

During build, restrict parses your system headers (e.g. /usr/include/asm/unistd_64.h) and emits:

/// System call list generated from `/usr/include/asm/unistd_64.h`
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
pub enum Syscall {
    Read = 0,
    Write = 1,
    Open = 2,
    // … etc …
}

This ensures accuracy across architectures (x86_64, aarch64, etc.). To override the header location:

SYSCALL_INCLUDE_DIR=/path/to/other/asm cargo build

License

This project is licensed under the terms of the MIT license.

See the LICENSE file for more details.

Dependencies

~3–7MB
~96K SLoC