_ _ _                  _
| (_) |____      ____ _(_)_   _____
| | | '_ \ \ /\ / / _` | \ \ / / _ \
| | | |_) \ V  V / (_| | |\ V /  __/
|_|_|_.__/ \_/\_/ \__,_|_| \_/ \___|

Overview
========

libwaive is a tiny library that provides waive(), a function that allows a
process to waive its right to perform certain actions (e.g. open a file).

It is inspired by Theo de Raadt's tame() system call
(http://article.gmane.org/gmane.os.openbsd.tech/43085) and uses libseccomp
(https://github.com/seccomp/libseccomp) and cmake (https://cmake.org).

Building
========

libwaive can be built with either CMake (https://www.cmake.org/) or GNU Make
(https://www.gnu.org/software/make/), with some limitations.

To build, simply run the following commands:

  $ mkdir build
  $ cd build
  $ cmake ..
  $ make
  $ sudo make install

or:

  $ make
  $ sudo make install

Limitations
===========

libwaive has three major shortcomings:
  1) It has to be updated when new system calls are introduced.
  2) When built against older kernel headers, libwaive won't block newer system
     calls present in the kernel it actually runs on, because detection is done
     at build-time.
  3) Due to limitations of libseccomp's API, libwaive cannot check the
     parameters of system calls that accept pointers (e.g. socketcall).
     Therefore, it is recommended to use WAIVE_SOCKET rather than WAIVE_INET,
     WAIVE_UN or WAIVE_PACKET, if possible.

Credits and Legal Information
=============================

libwaive is free and unencumbered software released under the terms of the MIT
license; see COPYING for the license text. For a list of its authors and
contributors, see AUTHORS.

The ASCII art logo at the top was made using FIGlet (http://www.figlet.org/).