restrict

package module
v0.0.0-...-b72994f Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 29, 2024 License: BSD-3-Clause Imports: 18 Imported by: 3

Documentation

Overview

A library to secure your application on diverse system levels.

  • Jail-ability: Using Trust() and Resolver() enables your application to be independant from the typical CA bundle and DNS resolving system dependencies. It allows a fine-grained approach to your ressource usage.
  • Syscall limitation: Using Syscalls() gives you the ability to use the comfort of OpenBSD's pledge or seccomp on linux in a pledge like variation.
  • Filesystem view: Using Access() and AccessLock() lets you fine tune the usage of the filesystem with OpenBSD's unveil or landlock on linux in a unveil like mode.

We are only supporting the latest Landlock ABI version (3+) and seccomp API version (6+). Kernels before version 6.x (formerly 5.13) and without Landlock¹ as LSM and seccomp² are not supported and will result in an immediate abort of the application (exit code 255).

Linux support is AMD64 only at the moment. ARM64 and/or RISCV64 may come later.

¹ https://www.kernel.org/doc/html/latest/userspace-api/landlock.html
² https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html

Sets aka promises available on linux:

  • stdio
  • rpath
  • wpath
  • cpath
  • dpath
  • tmppath
  • inet
  • mcast (stub)
  • fattr
  • chown
  • flock
  • unix
  • dns
  • getpw
  • sendfd
  • recvfd
  • tape (stub)
  • tty
  • proc
  • exec
  • prot_exec (openbsd only)
  • settime
  • ps (stub)
  • vminfo
  • id
  • pf (openbsd only)
  • route (stub)
  • wroute (stub)
  • audio
  • video
  • bpf
  • unveil (alias landlock)
  • error

See https://man.openbsd.org/pledge.2 for more info.

Linux only:

  • capabilities
  • namespaces

Index

Constants

This section is empty.

Variables

View Source
var (
	// Debug enables additional info output through Logger.
	Debug bool

	// Logger default to stderr and adds a prefix of "restrict: "
	Logger *log.Logger = logger
)

Functions

func Access

func Access(path string, flags string) error

Access tries to behave similar to OpenBSD's unveil syscall. It limits the filesystem view for that application by defining a path (directory or file) and flags (crwx) as appropiate. You can call Access() as often as needed, until you call AccessLock() once. A path has to exist prior to the Access() call. If that path is a directory, it will enable all filesystem access underneath that path using the given flags.

Beware! The underlaying landlock works unfortunately unlike the unveil implementation. Know that the first call to Access() does not remove visibility of the entire filesystem. You have to call AccessLock() to see that effect. Unlinke on unveil on OpenBSD, the landlock implementation on linux passes the restrictions to forked/cloned or execve'd child processes. See SyscallsExec() on linux for more information.

func AccessLock

func AccessLock() error

AccessLock removes the ability to allow Access() to filesystem objects. You must call it once. If you call it without calling Access() before, then you will essentially disallow the whole filesystem. (Besides the implicit Access() calls through the other given sets.)

func Disable

func Disable() error

Disable gives you the ability to let all restrict function calls be nil returned, except the Trust function that returns an empty *tls.Config.

Beware! It has to be the first restrict function call in the application and all protections are off. A notice will be printed to Logger:

"restrict: All subsequent restrict calls are disabled on your demand!"

func Resolver

func Resolver(dns string) error

Resolver takes an IP address of a DNS server and sets it as the DefaultResolver. This mainly targets standard library functions. You can still circumvent this measure programmatically, but it sets a default.

func Syscalls

func Syscalls(allow string) error

Syscalls tries to behave similar to OpenBSD's pledge syscall. It forces that application in a syscall restricted operating mode by defining sets (a collection of syscalls, see promises on OpenBSD) as appropiate. You can call Syscalls() as often as needed, but you can only reduce the allow sets from the previous call. The use of an unallowed syscall results in the default action to kill the process and notify about the incident in your kernel syslog. You can avoid this by applying the error set which will return ENOSYS to the calling function.

SyscallsExec is a no-op on linux since Syscalls and Access are inheriting the restriction to it's childs.

func SyscallsExec deprecated

func SyscallsExec(allow string) error

SyscallsExec is a no-op on linux.

Deprecated: Landlock¹ and seccomp² calls are inherited on Syscalls() with linux.

¹ https://www.kernel.org/doc/html/latest/userspace-api/landlock.html#inheritance
² https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html#usage

func Trust

func Trust(pool *x509.CertPool) *tls.Config

Trust sets the RootCA to your given pool and sets default http transport TLS config and returns a pointer to that config to use in other network connection usage such as tls.Dial.

Types

This section is empty.

Directories

Path Synopsis
examples
dns
tmp

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL