{"id":49346261,"url":"https://github.com/micromaomao/libturnstile","last_synced_at":"2026-04-27T07:35:09.800Z","repository":{"id":344308153,"uuid":"1169418257","full_name":"micromaomao/libturnstile","owner":"micromaomao","description":"Seccomp-unotify access tracer and namespace-based sandboxing library","archived":false,"fork":false,"pushed_at":"2026-04-26T23:59:35.000Z","size":207,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-27T07:34:38.356Z","etag":null,"topics":["linux","seccomp"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/micromaomao.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-02-28T16:56:17.000Z","updated_at":"2026-04-05T07:36:37.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/micromaomao/libturnstile","commit_stats":null,"previous_names":["micromaomao/turnstile","micromaomao/libturnstile"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/micromaomao/libturnstile","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/micromaomao%2Flibturnstile","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/micromaomao%2Flibturnstile/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/micromaomao%2Flibturnstile/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/micromaomao%2Flibturnstile/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/micromaomao","download_url":"https://codeload.github.com/micromaomao/libturnstile/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/micromaomao%2Flibturnstile/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32327701,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-26T23:26:28.701Z","status":"online","status_checked_at":"2026-04-27T02:00:06.769Z","response_time":128,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["linux","seccomp"],"created_at":"2026-04-27T07:35:09.211Z","updated_at":"2026-04-27T07:35:09.791Z","avatar_url":"https://github.com/micromaomao.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# libturnstile\n\n[![crates.io](https://img.shields.io/crates/v/libturnstile?style=flat)](https://crates.io/crates/libturnstile)\n\nTurnstile implements a\n[seccomp-unotify](https://man7.org/linux/man-pages/man2/seccomp_unotify.2.html)-based\naccess tracer, and a namespace / bind-mount based sandbox that can be used\nwith the tracer to dynamically find out about access requests and allow\nthem.\n\nThe tracer may also be used together with other sandboxing mechanisms\n(like Landlock), or used on its own for non-security scenarios to find out\nwhat files are used by a program.\n\n\u003e [!WARNING]\n\u003e **Work in progress**. API will not be stable at all.\n\n## Features\n\n### Tracer\n\n- Support most non-metadata fs accesses, including Unix socket connects\n- API is designed to be maximally data-preserving: files are identified by\n  their original path as passed from the application, possibly with a dir\n  fd for *at() operations.\n\n### Sandbox\n\n- Support dynamic manipulation of the sandbox's view of the filesystem\n  using bind mounts.\n\n## Goals\n\n- Completely unprivileged\n- The library itself should be non-opinionated\n- The library will support building a batteries-included, fully dynamic\n  and inspectable sandbox\n\n## Example\n\n```\n\u003e target/release/examples/fstrace cargo build\nfstrace[828276] exec \"/usr/local/bin/cargo\"\nfstrace[828276] exec \"/usr/bin/cargo\"\ncargo[828276] open r \"/etc/ld.so.preload\"\ncargo[828276] open r \"/etc/ld.so.cache\"\ncargo[828276] open r \"/usr/lib/liblzma.so.5\"\ncargo[828276] open r \"/usr/lib/libgcc_s.so.1\"\n...\nrustc[828297] unlink \"/home/mao/turnstile/target/debug/deps/libturnstile-00c39746b8f0f2b9.ehas8k75ezbnsay69cv9snhj1.0sbwwi3.rcgu.o\"\nrustc[828297] unlink \"/home/mao/turnstile/target/debug/deps/libturnstile-00c39746b8f0f2b9.eqlnbk1spzsmryvhy6r7il0y6.0sbwwi3.rcgu.o\"\nrustc[828297] unlink \"/home/mao/turnstile/target/debug/deps/libturnstile-00c39746b8f0f2b9.f0bf248u890rb6cl3b6abihvl.0sbwwi3.rcgu.o\"\ncargo[828294] open r \"/home/mao/turnstile/target/debug/deps/libturnstile-00c39746b8f0f2b9.d\"\ncargo[828294] create file \"/home/mao/turnstile/target/debug/.fingerprint/libturnstile-00c39746b8f0f2b9/dep-lib-libturnstile\"\ncargo[828294] open w \"/home/mao/turnstile/target/debug/.fingerprint/libturnstile-00c39746b8f0f2b9/dep-lib-libturnstile\"\ncargo[828294] open r \"/home/mao/turnstile/target/debug/deps/liblibturnstile-00c39746b8f0f2b9.rlib\"\ncargo[828294] open r \"/home/mao/turnstile/target/debug/liblibturnstile.rlib\"\ncargo[828294] unlink \"/home/mao/turnstile/target/debug/liblibturnstile.rlib\"\ncargo[828294] link \"/home/mao/turnstile/target/debug/deps/liblibturnstile-00c39746b8f0f2b9.rlib\" -\u003e \"/home/mao/turnstile/target/debug/liblibturnstile.rlib\"\ncargo[828294] create file \"/home/mao/turnstile/target/debug/.fingerprint/libturnstile-00c39746b8f0f2b9/lib-libturnstile\"\ncargo[828294] open w \"/home/mao/turnstile/target/debug/.fingerprint/libturnstile-00c39746b8f0f2b9/lib-libturnstile\"\ncargo[828294] create file \"/home/mao/turnstile/target/debug/.fingerprint/libturnstile-00c39746b8f0f2b9/lib-libturnstile.json\"\ncargo[828294] open w \"/home/mao/turnstile/target/debug/.fingerprint/libturnstile-00c39746b8f0f2b9/lib-libturnstile.json\"\n    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.15s\ncargo[828276] open r \"/home/mao/turnstile/target/debug/.fingerprint/libturnstile-00c39746b8f0f2b9/dep-lib-libturnstile\"\ncargo[828276] open r \"/home/mao/turnstile/target/debug/liblibturnstile.d\"\ncargo[828276] create file \"/home/mao/turnstile/target/debug/liblibturnstile.d\"\ncargo[828276] open w \"/home/mao/turnstile/target/debug/liblibturnstile.d\"\nfstrace: error: seccomp_notify_receive: There was a system failure beyond the control of libseccomp\nfstrace: child process exited with status exit status: 0\n```\n\n```\n\u003e cargo clean \u0026\u0026 time cargo build\n     Removed 1697 files, 497.1MiB total\n   Compiling proc-macro2 v1.0.106\n   Compiling unicode-ident v1.0.24\n   Compiling quote v1.0.45\n   Compiling libc v0.2.183\n   Compiling libseccomp-sys v0.3.0\n   Compiling pkg-config v0.3.32\n   Compiling thiserror v2.0.18\n   Compiling bitflags v2.11.0\n   Compiling log v0.4.29\n   Compiling libseccomp v0.4.0\n   Compiling syn v2.0.117\n   Compiling page_size v0.6.0\n   Compiling thiserror-impl v2.0.18\n   Compiling libturnstile v0.1.0 (/home/mao/turnstile)\n    Finished `dev` profile [unoptimized + debuginfo] target(s) in 1.21s\n\n________________________________________________________\nExecuted in    1.24 secs    fish           external\n   usr time    2.64 secs  391.00 micros    2.64 secs\n   sys time    0.44 secs   46.00 micros    0.44 secs\n\n\u003e cargo clean \u0026\u0026 time /tmp/fstrace -o fstrace.log cargo build\n     Removed 333 files, 90.2MiB total\n   Compiling proc-macro2 v1.0.106\n   Compiling quote v1.0.45\n   Compiling unicode-ident v1.0.24\n   Compiling libc v0.2.183\n   Compiling libseccomp-sys v0.3.0\n   Compiling pkg-config v0.3.32\n   Compiling thiserror v2.0.18\n   Compiling bitflags v2.11.0\n   Compiling log v0.4.29\n   Compiling libseccomp v0.4.0\n   Compiling syn v2.0.117\n   Compiling page_size v0.6.0\n   Compiling thiserror-impl v2.0.18\n   Compiling libturnstile v0.1.0 (/home/mao/turnstile)\n    Finished `dev` profile [unoptimized + debuginfo] target(s) in 1.40s\nfstrace: error: seccomp_notify_receive: There was a system failure beyond the control of libseccomp\nfstrace: child process exited with status exit status: 0\n\n________________________________________________________\nExecuted in    1.43 secs    fish           external\n   usr time    2.70 secs    3.51 millis    2.69 secs\n   sys time    0.62 secs    0.05 millis    0.62 secs\n\n\u003e wc -l fstrace.log\n7377 fstrace.log\n\n```\n\n## TODO\n\n- Improve API for performance and ergonomics\n- sendmm?msg, recvmm?sg handling (hard to do without deadlocking at the start)\n- io_uring (very hard to do properly, but maybe we can just disable)\n- Landlock support to restrict the tracer itself\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmicromaomao%2Flibturnstile","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmicromaomao%2Flibturnstile","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmicromaomao%2Flibturnstile/lists"}