Add Isolate user namespaces feature

An extrasafe Isolate uses namespaces to isolate a subprocess in a
tmpfs with (optionally) no network access.

Cargo.toml

@@ -11,6 +11,7 @@ categories = ["os::linux-apis"]
 
 [features]
 landlock = ["dep:landlock"]
+isolate = []
 
 [dependencies]
 seccompiler = { version = "^0.4", default-features = false }

Makefile

@@ -4,11 +4,13 @@ build:
 # Run all tests and examples
 test:
 	cargo test --tests --examples --all-features
+	cargo run --all-features --example isolate_test
 
 # Run all tests with and without all features
 test-ci:
 	cargo test --target=$(TARGET_TRIPLE) --tests --examples --all-features
 	cargo test --target=$(TARGET_TRIPLE) --tests --examples --no-default-features
+	cargo run --all-features --example isolate_test
 
 # Run clippy
 lint:
@@ -22,10 +24,15 @@ lint:
 doc:
 	RUSTDOCFLAGS="-Dwarnings" cargo doc --no-deps
 
+do-cov:
+	cargo llvm-cov clean --workspace
+	cargo llvm-cov --no-report --tests --examples --all-targets --all-features --workspace
+	cargo llvm-cov --no-report --all-features run --example isolate_test
+
 # Compute test coverage for CI with llvm-cov
-coverage-ci:
-	cargo llvm-cov --tests --examples --all-targets --all-features --workspace --lcov --output-path lcov.info
+coverage-ci: do-cov
+	cargo llvm-cov report --lcov --output-path lcov.info
 
 # Compute test coverage with HTML output
-coverage:
-	cargo llvm-cov --tests --examples --all-targets --all-features --workspace --html
+coverage: do-cov
+	cargo llvm-cov report --html

README.md

@@ -2,8 +2,6 @@
 
 [![Coverage Status](https://coveralls.io/repos/github/boustrophedon/extrasafe/badge.svg?branch=master)](https://coveralls.io/github/boustrophedon/extrasafe?branch=master) [![CI Status](https://github.com/boustrophedon/extrasafe/actions/workflows/build-test.yaml/badge.svg)](https://github.com/boustrophedon/extrasafe/actions/workflows/build-test.yaml) [![crates.io](https://img.shields.io/crates/v/extrasafe)](https://crates.io/crates/extrasafe) [![docs.rs](https://img.shields.io/docsrs/extrasafe)](https://docs.rs/extrasafe/latest/extrasafe/)
 
-*"trust noone not even urself" - internet man*
-
 ```rust
 fn main() {
     println!("disabling syscalls...");
@@ -27,7 +25,7 @@ fn main() {
 
 You've used safe and unsafe Rust: now your code can be extrasafe.
 
-extrasafe is a wrapper around [the Linux kernel's seccomp](https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html) syscall-filtering functionality to prevent your program from calling syscalls you don't need, with support for [the Landlock Linux Security Module](https://landlock.io/). Seccomp is used by systemd, Chrome, application sandboxes like bubblewrap and firejail, and container runtimes. Seccomp by itself is not a complete sandboxing system.
+extrasafe is an easy-to-use wrapper around various Linux security tools, including [seccomp filters](https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html) syscall-filtering functionality to prevent your program from calling syscalls you don't need, [the Landlock Linux Security Module](https://landlock.io/) for more fine-grained control over IO operations, and [user namespaces](https://man7.org/linux/man-pages/man7/user_namespaces.7.html) for broader isolation. These tools are used by systemd, Chrome, container runtimes, and application sandboxes like bubblewrap and firejail.
 
 The goal of extrasafe is to make it easy to add extra security to your own programs without having to rely on external configuration by the person running the software.
 
@@ -66,7 +64,7 @@ fn main() {
 }
 ```
 
-Check out the [**user guide here**](https://github.com/boustrophedon/extrasafe/blob/master/user-guide.md)
+For examples of using user namespaces via extrasafe's `Isolate`, and more detailed information on the rest of extrasafe's features, check out the [**user guide here**](https://github.com/boustrophedon/extrasafe/blob/master/user-guide.md) and take a look at the [examples directory](https://github.com/boustrophedon/extrasafe/tree/master/examples)
 
 # Who is extrasafe for?
 
@@ -119,7 +117,7 @@ Why not both? Keep reading.
 
 ## Why not use systemd's built-in seccomp support?
 
-systemd supports filtering child processes' syscalls with seccomp via the `SystemCallFilter` attribute. See [e.g. this blog post](https://prefetch.net/blog/2017/11/27/securing-systemd-services-with-seccomp-profiles/) and [the systemd documentation]()
+systemd supports filtering child processes' syscalls with seccomp via the `SystemCallFilter` attribute. See [e.g. this blog post](https://prefetch.net/blog/2017/11/27/securing-systemd-services-with-seccomp-profiles/) and [the systemd documentation](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#System%20Call%20Filtering)
 
 Issues:
 
@@ -140,8 +138,6 @@ In the same way, from the perspective of a developer, there's no guarantee that
 
 # Development
 
-Using make as a simple command runner until `just` is packaged for Ubuntu/Debian, or you can run the cargo commands directly.
-
 ## Tests
 
 `make test`