Go library for installing a seccomp BPF system call filter.
APACHE-2.0 License
go-seccomp-bpf is a library for Go (golang) for loading a system call filter on Linux 3.17 and later by taking advantage of secure computing mode, also known as seccomp. Seccomp restricts the system calls that a process can invoke.
The kernel exposes a large number of system calls that are not used by most processes. By installing a seccomp filter, you can limit the total kernel surface exposed to a process (principle of least privilege). This minimizes the impact of unknown vulnerabilities that might be found in the process.
The filter is expressed as a Berkeley Packet Filter (BPF) program. The BPF program is generated based on a filter policy created by you.
seccomp
syscall in order to takeSECCOMP_FILTER_FLAG_TSYNC
flag to sync the filter to allSECCOMP_FILTER_FLAG_TSYNC
to sync the filter to all threads created byprctl(PR_SET_NO_NEW_PRIVS, 1)
to set the threads no_new_privs
bitsandbox
example in cmd/sandbox.This package contains a list of syscall numbers that are generated from the Linux sources. Update the git tag here and then run this command to generate the code.
docker run -it --rm -v `pwd`:/go-seccomp-bpf -w /go-seccomp-bpf/arch golang:1.18 go generate
Please open a PR to submit your project.