marcoallegretti/WEFT_OS
marcoallegretti/WEFT_OS
1
0
Fork 0
mirror of https://github.com/marcoallegretti/WEFT_OS.git synced 2026-03-27 01:13:09 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
WEFT_OS/crates/weft-runtime/src
History
Marco Allegretti 98a21da734 feat(runtime): seccomp blocklist filter via optional seccomp feature 
Add seccomp feature flag (seccompiler + libc, Linux-only, optional).

When compiled with --features seccomp, weft-runtime installs a
SECCOMP_MODE_FILTER immediately after argument parsing, before any
package resolution or WASM execution.

Filter strategy: default-allow with explicit KillProcess rules for
high-risk syscalls a WASM runtime process has no legitimate need for:
ptrace, process_vm_readv/writev, kexec_load, personality, syslog,
reboot, mount/umount2, setuid/setgid/setreuid/setregid/setresuid/
setresgid, chroot, pivot_root, init_module/finit_module/delete_module,
bpf, perf_event_open, acct.

The feature is off by default so the standard build and tests are
unaffected. Enable in production service builds with --features seccomp.
2026-03-11 15:34:21 +01:00
..
main.rs feat(runtime): seccomp blocklist filter via optional seccomp feature 2026-03-11 15:34:21 +01:00