README
¶
go-seccomp-bpf
go-seccomp-bpf is a library for Go (golang) for loading a system call filter on Linux 3.17 and later by taking advantage of secure computing mode, also known as seccomp. Seccomp restricts the system calls that a process can invoke.
The kernel exposes a large number of system calls that are not used by most processes. By installing a seccomp filter, you can limit the total kernel surface exposed to a process (principle of least privilege). This minimizes the impact of unknown vulnerabilities that might be found in the process.
The filter is expressed as a Berkeley Packet Filter (BPF) program. The BPF program is generated based on a filter policy created by you.
- Requires Linux 3.17 because it uses the
seccompsyscall in order to take advantage of theSECCOMP_FILTER_FLAG_TSYNCflag to sync the filter to all threads.
- Pure Go and does not have a libseccomp dependency.
- Filters are customizable and can be written as an allowlist or blocklist.
- Uses
SECCOMP_FILTER_FLAG_TSYNCto sync the filter to all threads created by the Go runtime. - Invokes
prctl(PR_SET_NO_NEW_PRIVS, 1)to set the threadsno_new_privsbit which is generally required before loading a seccomp filter. - seccomp-profiler tool for automatically generating a allowlist policy based on the system calls that a binary uses.
- System call argument filtering is not implemented. (Pull requests are welcomed. See #1.)
- System call tables are only implemented for 386, amd64, arm and arm64. (More system call table generation code should be added to arch/mk_syscalls_linux.go.)
- GoDoc Package Example
sandboxexample in cmd/sandbox.
This package contains a list of syscall numbers that are generated from the Linux sources. Update the git tag here and then run this command to generate the code.
docker run -it --rm -v `pwd`:/go-seccomp-bpf -w /go-seccomp-bpf/arch golang:1.18 go generate
Please open a PR to submit your project.
Documentation
¶
Overview ¶
Package seccomp provides a way to install a syscall filter for a Linux process. It uses the seccomp (secure computing) BPF filters.
Example ¶
package main
import (
"fmt"
seccomp "github.com/elastic/go-seccomp-bpf"
)
func main() {
// Create a filter.
filter := seccomp.Filter{
NoNewPrivs: true,
Flag: seccomp.FilterFlagTSync,
Policy: seccomp.Policy{
DefaultAction: seccomp.ActionAllow,
Syscalls: []seccomp.SyscallGroup{
{
Action: seccomp.ActionErrno,
Names: []string{
"fork",
"vfork",
"execve",
"execveat",
},
},
},
},
}
// Load it. This will set no_new_privs before loading.
if err := seccomp.LoadFilter(filter); err != nil {
fmt.Println("failed to load filter: ", err)
return
}
}
Output:
Index ¶
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func LoadFilter ¶
LoadFilter will install seccomp using native methods.
func SetNoNewPrivs ¶
func SetNoNewPrivs() error
SetNoNewPrivs will use prctl to set the calling thread's no_new_privs bit to 1 (true). Once set, this bit cannot be unset.
Types ¶
type Action ¶
type Action uint32
Action specifies what to do when a syscall matches during filter evaluation.
func (Action) MarshalText ¶
MarshalText marshals the value to text.
type Filter ¶
type Filter struct {
NoNewPrivs bool `config:"no_new_privs" json:"no_new_privs"` // Set the process's no new privs bit.
Flag FilterFlag `config:"flag" json:"flag"` // Flag to pass to the seccomp call.
Policy Policy `config:"policy" json:"policy"` // Policy that will be assembled into a BPF filter.
}
Filter contains all the parameters necessary to install a Linux seccomp filter for the process.
type FilterFlag ¶
type FilterFlag uint32
FilterFlag is a flag that is passed to the seccomp. Multiple flags can be OR'ed together.
const ( FilterFlagTSync FilterFlag = 0x1 FilterFlagLog FilterFlag = 0x2 )
func (FilterFlag) MarshalText ¶
func (f FilterFlag) MarshalText() ([]byte, error)
MarshalText marshals the value to text.
func (FilterFlag) String ¶
func (f FilterFlag) String() string
String returns a string representation of the FilterFlag.
type Policy ¶
type Policy struct {
DefaultAction Action `config:"default_action" json:"default_action" yaml:"default_action"` // Action when no syscalls match.
Syscalls []SyscallGroup `config:"syscalls" json:"syscalls" yaml:"syscalls"` // Groups of syscalls and actions.
// contains filtered or unexported fields
}
Policy defines the BPF seccomp filter.
func (*Policy) Assemble ¶
func (p *Policy) Assemble() ([]bpf.Instruction, error)
Assemble assembles the policy into a list of BPF instructions. If the policy contains any unknown syscalls or invalid actions an error will be returned.
type SyscallGroup ¶
type SyscallGroup struct {
Names []string `config:"names" validate:"required" json:"names" yaml:"names"` // List of syscall names (all must exist).
Action Action `config:"action" validate:"required" json:"action" yaml:"action"` // Action to take upon a match.
// contains filtered or unexported fields
}
SyscallGroup is a logical block within a Policy that contains a set of syscalls to match against and an action to take.
func (*SyscallGroup) Assemble ¶
func (g *SyscallGroup) Assemble() ([]bpf.Instruction, error)
Assemble assembles the policy into a list of BPF instructions. If the group contains any unknown syscalls or invalid actions an error will be returned.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Package arch provides architecture specific Linux constants like the audit arch constant and syscall tables.
|
Package arch provides architecture specific Linux constants like the audit arch constant and syscall tables. |
|
cmd
|
|