LimTrac is a simple library written in Rust, designed for usage on GNU/Linux platform that executes potentially unsafe programs with enforcement of some security policies (using such Linux built-in capabilities as seccomp, prlimit, cgroups, etc). You can use it from your C/C++ and C# apps (bindings available), and also from Rust (but using types, defined in libc.rs and nix.rs crates). Of course, you can create your own binding to use limtrac on other platforms.
Limtrac is a part of Overtest free software project, and is being used by Overtest Verification Agent for untrusted programs execution, so, for now, it contains only features, used by some parts of Overtest on GNU/Linux platform:
- Execute any program in a child process as another user
- Specify CLI arguments and a working dir for the program
- Redirect I/O streams to files, duplicate
stderrtostdout - Set up resource limits (using
setrlimitcapabilities) - Automatically kill a child process on a specified timeout
- Block potentially malicious system calls (using
seccomp) - Isolate a child process from some local resources using
unshare - Get resources usage and execution results for the process
All pull requests, questions and ideas are welcomed 😃!
As it said, you can use limtrac either in Rust, or using a binding for one of the supported languages and platforms, listed below. Also, you can manually create a binding for it on platforms that have support for interop with native libraries.
- Rust applications: using
nixandlibccrates - .NET applications:
.dll targeting dotnet-6 - C/C++ applications:
.h header file
Don't forget that you need seccomp feature and package available and enabled in your development and target environments.
You can build limtrac only inside a GNU/Linux environment, or under Windows Subsystem for Linux (version 2 recommended). To build a project, you can use standard Cargo build commands. Header file with C / C++ library bindings will be generated automatically (using cbindgen crate). Note that you need seccomp and libseccomp-dev packages installed on your system to build the library.
cargo build # for development builds
cargo build --release # for release buildsTip: Use JetBrains CLion with official Rust plugin & WSL 2 to build limtrac 😃!
To build a demo app written in C, you need to have GCC, make and cmake in your system.
cd ./bindings/demoapp_c/
mkdir build && cd build
cmake ../ && makeDemo application written in C# is a part of .NET binding, so it can be built as a part of LimtracDotNet solution:
cargo build --release # requred to build .NET binding
cd ./bindings/LimtracDotNet/
dotnet build # for development builds
dotnet publish # for release buildsLIMTRAC, a part of Overtest free software project.
Copyright (C) 2021-2023, Yurii Kadirov <contact@sirkadirov.com>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Lesser General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.