| () |___ ____ ()_ _____ | | | '_ \ \ /\ / / ` | \ \ / / _
| | | |) \ V V / (| | |\ V / __/ |||./ _/_/ _,|_| _/ _|

Overview

libwaive is a tiny library that provides waive(), a function that allows a process to waive its right to perform certain actions (e.g. open a file).

It is inspired by Theo de Raadt's tame() system call (http://article.gmane.org/gmane.os.openbsd.tech/43085) and uses libseccomp (https://github.com/seccomp/libseccomp) and cmake (https://cmake.org).

Building

libwaive can be built with either CMake (https://www.cmake.org/) or GNU Make (https://www.gnu.org/software/make/), with some limitations.

To build, simply run the following commands:

$ mkdir build $ cd build $ cmake .. $ make $ sudo make install

or:

$ make $ sudo make install

Limitations

libwaive has three major shortcomings:

1. It has to be updated when new system calls are introduced.
2. When built against older kernel headers, libwaive won't block newer system calls present in the kernel it actually runs on, because detection is done at build-time.
3. Due to limitations of libseccomp's API, libwaive cannot check the parameters of system calls that accept pointers (e.g. socketcall). Therefore, it is recommended to use WAIVE_SOCKET rather than WAIVE_INET, WAIVE_UN or WAIVE_PACKET, if possible.

Credits and Legal Information

libwaive is free and unencumbered software released under the terms of the MIT license; see COPYING for the license text. For a list of its authors and contributors, see AUTHORS.

The ASCII art logo at the top was made using FIGlet (http://www.figlet.org/).