Getting Started
Install Rex, create a script and policy, and run them together. The whole thing takes about two minutes.
1
Install Rex
rex-runner is a single binary, installed via Cargo.
Terminal
cargo install rex-runner # Verify it works rex-runner --help
PATH setup. All binaries installed with
cargo install are stored in the installation root's bin folder. If you installed Rust using rustup.rs and don't have any custom configurations, this directory will be $HOME/.cargo/bin. Ensure that this directory is in your $PATH to be able to run programs you've installed with cargo install.
Prefer to build from source? View on GitHub →
2
Create a Policy
The policy defines what the script is allowed to do. Rex denies everything by default.
Terminal
cat > policy.cedar << 'EOF'
permit(
principal,
action in [
file_system::Action::"open",
file_system::Action::"read",
file_system::Action::"write",
file_system::Action::"create",
],
resource
) when {
resource in file_system::Dir::"/tmp" ||
resource in file_system::Dir::"/private/tmp"
};
EOF
Why
/private/tmp? On macOS, /tmp is a symlink to /private/tmp. Rex authorizes both the symlink and its resolved target, so the policy has to permit each.
3
Create a Script
Rex scripts are written in Rhai. This one writes a file, then reads it back.
Terminal
cat > script.rhai << 'EOF'
// Write a greeting
write("/tmp/hello.txt", "Hello from Rex!");
// Read it back
let content = cat("/tmp/hello.txt");
info(content);
EOF
4
Run It
Pass the script and policy to rex-runner. Every operation is checked against the policy before it executes.
Terminal
rex-runner \ --script-file script.rhai \ --policy-file policy.cedar \ --output-format human \ --verbose
See the Docs for the full list of CLI flags and Cedar actions.
→