Home Explore Help
Sign In
mbuesch
/
letmein
Watch 1
Star 0
Fork 0
Files Pull Requests 0 Wiki
Branch: android-app
Branches Tags
letmein
/
letmeind
/
build.rs

build.rs 1.6 KB
Permalink History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465 
  1. // -*- coding: utf-8 -*-
    2. 

  2. //
    3. 

  3. // Copyright (C) 2024 Michael Büsch <m@bues.ch>
    4. 

  4. //
    5. 

  5. // Licensed under the Apache License version 2.0
    6. 

  6. // or the MIT license, at your option.
    7. 

  7. // SPDX-License-Identifier: Apache-2.0 OR MIT
    8. 

  8. 

  9. #![forbid(unsafe_code)]
    10. 

  10. 

  11. use build_target::{target_arch, Arch};
    12. 

  12. use letmein_seccomp::{Action, Allow, Filter};
    13. 

  13. use std::{env, fs::OpenOptions, io::Write, path::Path};
    14. 

  14. 

  15. const SECCOMP_ALLOW_LIST: [Allow; 10] = [
    16. 

  16.     Allow::Mmap,
    17. 

  17.     Allow::Mprotect,
    18. 

  18.     Allow::Read,
    19. 

  19.     Allow::Write,
    20. 

  20.     Allow::Recv,
    21. 

  21.     Allow::Send,
    22. 

  22.     Allow::TcpAccept,
    23. 

  23.     Allow::UnixConnect,
    24. 

  24.     Allow::Signal,
    25. 

  25.     Allow::Futex,
    26. 

  26. ];
    27. 

  27. 

  28. fn seccomp_compile_action(arch: &Arch, action: Action) {
    29. 

  29.     let filter =
    30. 

  30.         if let Ok(filter) = Filter::compile_for_arch(&SECCOMP_ALLOW_LIST, action, arch.as_str()) {
    31. 

  31.             filter.serialize()
    32. 

  32.         } else {
    33. 

  33.             vec![]
    34. 

  34.         };
    35. 

  35. 

  36.     let suffix = match action {
    37. 

  37.         Action::Kill => "kill",
    38. 

  38.         Action::Log => "log",
    39. 

  39.     };
    40. 

  40. 

  41.     let filter_file = format!("seccomp_filter_{suffix}.bpf");
    42. 

  42.     let out_dir = env::var("OUT_DIR").expect("OUT_DIR is not set");
    43. 

  43. 

  44.     OpenOptions::new()
    45. 

  45.         .create(true)
    46. 

  46.         .truncate(true)
    47. 

  47.         .write(true)
    48. 

  48.         .open(Path::new(&out_dir).join(filter_file))
    49. 

  49.         .expect("Failed to open filter.bpf")
    50. 

  50.         .write_all(&filter)
    51. 

  51.         .expect("Failed to write filter.bpf");
    52. 

  52. }
    53. 

  53. 

  54. fn seccomp_compile(arch: &Arch) {
    55. 

  55.     seccomp_compile_action(arch, Action::Kill);
    56. 

  56.     seccomp_compile_action(arch, Action::Log);
    57. 

  57. }
    58. 

  58. 

  59. fn main() {
    60. 

  60.     let arch = target_arch().expect("Failed to get build target architecture");
    61. 

  61.     seccomp_compile(&arch);
    62. 

  62. }
    63. 

  63. 

  64. // vim: ts=4 sw=4 expandtab
    65. 

  65.