-
Notifications
You must be signed in to change notification settings - Fork 2
/
sandbox_linux.go
120 lines (108 loc) · 3.23 KB
/
sandbox_linux.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
// SPDX-FileCopyrightText: © 2020 Georg Sauthoff <[email protected]>
// SPDX-License-Identifier: GPL-3.0-or-later
// +build sandbox
package main
// This sandboxing is meant as a defence-in-depth measure.
// Meaning that since Go is a memory safe language an attacker
// already should have a hard time to get to the point making
// this program execute unexpected syscalls.
// However, if it happens the attacker only has a limited set of
// syscalls available (see below).
import (
seccomp "github.com/seccomp/libseccomp-golang"
)
func whitelist_syscalls(syscalls []string, debug bool) {
action := seccomp.ActKillProcess
if debug {
action = seccomp.ActLog
}
f, err := seccomp.NewFilter(action)
if err != nil {
panic(err)
}
for _, s := range syscalls {
id, err := seccomp.GetSyscallFromName(s)
if err != nil {
panic(err)
}
if err := f.AddRule(id, seccomp.ActAllow); err != nil {
panic(err)
}
}
if err := f.Load(); err != nil {
panic(err)
}
}
func blacklist_syscalls(syscalls []string, debug bool) {
f, err := seccomp.NewFilter(seccomp.ActAllow)
if err != nil {
panic(err)
}
for _, s := range syscalls {
id, err := seccomp.GetSyscallFromName(s)
if err != nil {
panic(err)
}
action := seccomp.ActKillProcess
if debug {
action = seccomp.ActLog
}
if err := f.AddRule(id, action); err != nil {
panic(err)
}
}
if err := f.Load(); err != nil {
panic(err)
}
}
func sandbox_me(debug bool) {
var syscalls = []string {
"arch_prctl" ,
"clone" ,
"close" ,
"epoll_create" ,
"epoll_create1" ,
"epoll_ctl" ,
"epoll_pwait" ,
"exit" ,
"exit_group" ,
"fcntl" ,
"flock" ,
"fstat" ,
"futex" ,
"getpid" ,
"gettid" ,
"lseek" ,
"madvise" ,
"mincore" ,
"mmap" ,
"mprotect" ,
"munmap" ,
"nanosleep" ,
"openat" ,
"pread64" ,
"prctl" ,
"read" ,
"readlinkat" ,
"restart_syscall" ,
"rt_sigaction" ,
"rt_sigprocmask" ,
"rt_sigreturn" , // really needed?
"sched_getaffinity" ,
"sched_yield" ,
"seccomp" , // such that we can downsize this list later
"set_robust_list" ,
"setitimer" ,
"sigaltstack" ,
"write" }
whitelist_syscalls(syscalls, debug)
}
// This function is intended to be called after sandbox_me()
// and after all necessary files are opened (i.e. database, a temporary file
// and some files from pseudo-filesystems) to downsize the whitelist.
func blacklist_open(debug bool) {
var syscalls = []string {
"seccomp" ,
"openat" }
blacklist_syscalls(syscalls, debug)
}