seccomp

package module

v1.0.0 Latest Latest Go to latest Published: May 17, 2018 License: Apache-2.0 Imports: 8 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/dustin-decker/go-seccomp-bpf

Links

Open Source Insights

README ¶

go-seccomp-bpf

go-seccomp-bpf is a library for Go (golang) for loading a system call filter on Linux 3.17 and later by taking advantage of secure computing mode, also known as seccomp. Seccomp restricts the system calls that a process can invoke.

The kernel exposes a large number of system calls that are not used by most processes. By installing a seccomp filter, you can limit the total kernel surface exposed to a process (principle of least privilege). This minimizes the impact of unknown vulnerabilities that might be found in the process.

The filter is expressed as a Berkeley Packet Filter (BPF) program. The BPF program is generated based on a filter policy created by you.

Requirements

Requires Linux 3.17 because it uses the seccomp syscall in order to take advantage of the SECCOMP_FILTER_FLAG_TSYNC flag to sync the filter to all threads.

Features

Pure Go and does not have a libseccomp dependency.
Filters are customizable and can be written a whitelist or blacklist.
Uses SECCOMP_FILTER_FLAG_TSYNC to sync the filter to all threads created by the Go runtime.
Invokes prctl(PR_SET_NO_NEW_PRIVS, 1) to set the threads no_new_privs bit which is generally required before loading a seccomp filter.
seccomp-profiler tool for automatically generating a whitelist policy based on the system calls that a binary uses.

Limitations

System call argument filtering is not implemented. (Pull requests are welcomed. See #1.)
System call tables are only implemented for 386, amd64, and arm. (More system call table generation code should be added to arch/mk_syscalls_linux.go.)

Examples

GoDoc Package Example
sandbox example in cmd/sandbox.

Projects Using elastic/go-seccomp-bpf

Please open a PR to submit your project.

elastic/beats

Documentation ¶

Rendered for

Overview ¶

Package seccomp provides a way to install a syscall filter for a Linux process. It uses the seccomp (secure computing) BPF filters.

Example ¶

// Create a filter.
filter := seccomp.Filter{
	NoNewPrivs: true,
	Flag:       seccomp.FilterFlagTSync,
	Policy: seccomp.Policy{
		DefaultAction: seccomp.ActionAllow,
		Syscalls: []seccomp.SyscallGroup{
			{
				Action: seccomp.ActionErrno,
				Names: []string{
					"fork",
					"vfork",
					"execve",
					"execveat",
				},
			},
		},
	},
}

// Load it. This will set no_new_privs before loading.
if err := seccomp.LoadFilter(filter); err != nil {
	fmt.Println("failed to load filter: ", err)
	return
}

Output:

Index ¶

func LoadFilter(filter Filter) error
func SetNoNewPrivs() error
func Supported() bool
type Action
type Filter
type FilterFlag
- func (f FilterFlag) MarshalText() ([]byte, error)
- func (f FilterFlag) String() string
type Policy
type SyscallGroup
- func (g *SyscallGroup) Assemble() ([]bpf.Instruction, error)

Examples ¶

Package

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func LoadFilter ¶

func LoadFilter(filter Filter) error

LoadFilter will install seccomp using native methods.

func SetNoNewPrivs ¶

func SetNoNewPrivs() error

SetNoNewPrivs will use prctl to set the calling thread's no_new_privs bit to 1 (true). Once set, this bit cannot be unset.

func Supported ¶

func Supported() bool

Supported returns true if the seccomp syscall is supported.

Types ¶

type Action ¶

type Action uint32

Action specifies what to do when a syscall matches during filter evaluation.

const (
	ActionKillThread  Action = 0x0
	ActionKillProcess Action = 0x80000000
	ActionTrap        Action = 0x30000
	ActionErrno       Action = 0x50000
	ActionTrace       Action = 0x7ff00000
	ActionLog         Action = 0x7ffc0000
	ActionAllow       Action = 0x7fff0000
)

func (Action) MarshalText ¶

func (a Action) MarshalText() ([]byte, error)

MarshalText marshals the value to text.

func (Action) String ¶

func (a Action) String() string

String returns a string representation of the Action.

func (*Action) Unpack ¶

func (a *Action) Unpack(s string) error

Unpack sets the Action value based on the string.

type Filter ¶

type Filter struct {
	NoNewPrivs bool       `config:"no_new_privs" json:"no_new_privs"` // Set the process's no new privs bit.
	Flag       FilterFlag `config:"flag"         json:"flag"`         // Flag to pass to the seccomp call.
	Policy     Policy     `config:"policy"       json:"policy"`       // Policy that will be assembled into a BPF filter.
}

Filter contains all the parameters necessary to install a Linux seccomp filter for the process.

type FilterFlag ¶

type FilterFlag uint32

FilterFlag is a flag that is passed to the seccomp. Multiple flags can be OR'ed together.

const (
	FilterFlagTSync FilterFlag = 0x1

	FilterFlagLog FilterFlag = 0x2
)

func (FilterFlag) MarshalText ¶

func (f FilterFlag) MarshalText() ([]byte, error)

MarshalText marshals the value to text.

func (FilterFlag) String ¶

func (f FilterFlag) String() string

String returns a string representation of the FilterFlag.

type Policy ¶

type Policy struct {
	DefaultAction Action         `config:"default_action" json:"default_action" yaml:"default_action"` // Action when no syscalls match.
	Syscalls      []SyscallGroup `config:"syscalls"       json:"syscalls"       yaml:"syscalls"`       // Groups of syscalls and actions.
	// contains filtered or unexported fields
}

Policy defines the BPF seccomp filter.

func (*Policy) Assemble ¶

func (p *Policy) Assemble() ([]bpf.Instruction, error)

Assemble assembles the policy into a list of BPF instructions. If the policy contains any unknown syscalls or invalid actions an error will be returned.

func (*Policy) Dump ¶

func (p *Policy) Dump(out io.Writer) error

Dump writes a textual represenation of the BPF instructions to out.

func (*Policy) Validate ¶

func (p *Policy) Validate() error

Validate validates that the configuration has both a default action and a set of syscalls.

type SyscallGroup ¶

type SyscallGroup struct {
	Names  []string `config:"names"  validate:"required" json:"names"  yaml:"names"`  // List of syscall names (all must exist).
	Action Action   `config:"action" validate:"required" json:"action" yaml:"action"` // Action to take upon a match.
	// contains filtered or unexported fields
}

SyscallGroup is a logical block within a Policy that contains a set of syscalls to match against and an action to take.

func (*SyscallGroup) Assemble ¶

func (g *SyscallGroup) Assemble() ([]bpf.Instruction, error)

Assemble assembles the policy into a list of BPF instructions. If the group contains any unknown syscalls or invalid actions an error will be returned.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
arch Package arch provides architecture specific Linux constants like the audit arch constant and syscall tables.	Package arch provides architecture specific Linux constants like the audit arch constant and syscall tables.
cmd
sandbox
seccomp-profiler
seccomp-profiler/disasm

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL