Documentation ¶
Overview ¶
A library to secure your application on diverse system levels.
- Jail-ability: Using Trust() and Resolver() enables your application to be independant from the typical CA bundle and DNS resolving system dependencies. It allows a fine-grained approach to your ressource usage.
- Syscall limitation: Using Syscalls() gives you the ability to use the comfort of OpenBSD's pledge or seccomp on linux in a pledge like variation.
- Filesystem view: Using Access() and AccessLock() lets you fine tune the usage of the filesystem with OpenBSD's unveil or landlock on linux in a unveil like mode.
We are only supporting the latest Landlock ABI version (3+) and seccomp API version (6+). Kernels before version 6.x (formerly 5.13) and without Landlock¹ as LSM and seccomp² are not supported and will result in an immediate abort of the application (exit code 255).
Linux support is AMD64 only at the moment. ARM64 and/or RISCV64 may come later.
¹ https://www.kernel.org/doc/html/latest/userspace-api/landlock.html ² https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html
Sets aka promises available on linux:
- stdio
- rpath
- wpath
- cpath
- dpath
- tmppath
- inet
- mcast (stub)
- fattr
- chown
- flock
- unix
- dns
- getpw
- sendfd
- recvfd
- tape (stub)
- tty
- proc
- exec
- prot_exec (openbsd only)
- settime
- ps (stub)
- vminfo
- id
- pf (openbsd only)
- route (stub)
- wroute (stub)
- audio
- video
- bpf
- unveil (alias landlock)
- error
See https://man.openbsd.org/pledge.2 for more info.
Linux only:
- capabilities
- namespaces
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( // Debug enables additional info output through Logger. Debug bool // Logger default to stderr and adds a prefix of "restrict: " Logger *log.Logger = logger )
Functions ¶
func Access ¶
Access tries to behave similar to OpenBSD's unveil syscall. It limits the filesystem view for that application by defining a path (directory or file) and flags (crwx) as appropiate. You can call Access() as often as needed, until you call AccessLock() once. A path has to exist prior to the Access() call. If that path is a directory, it will enable all filesystem access underneath that path using the given flags.
Beware! The underlaying landlock works unfortunately unlike the unveil implementation. Know that the first call to Access() does not remove visibility of the entire filesystem. You have to call AccessLock() to see that effect. Unlinke on unveil on OpenBSD, the landlock implementation on linux passes the restrictions to forked/cloned or execve'd child processes. See SyscallsExec() on linux for more information.
func AccessLock ¶
func AccessLock() error
AccessLock removes the ability to allow Access() to filesystem objects. You must call it once. If you call it without calling Access() before, then you will essentially disallow the whole filesystem. (Besides the implicit Access() calls through the other given sets.)
func Disable ¶
func Disable() error
Disable gives you the ability to let all restrict function calls be nil returned, except the Trust function that returns an empty *tls.Config.
Beware! It has to be the first restrict function call in the application and all protections are off. A notice will be printed to Logger:
"restrict: All subsequent restrict calls are disabled on your demand!"
func Resolver ¶
Resolver takes an IP address of a DNS server and sets it as the DefaultResolver. This mainly targets standard library functions. You can still circumvent this measure programmatically, but it sets a default.
func Syscalls ¶
Syscalls tries to behave similar to OpenBSD's pledge syscall. It forces that application in a syscall restricted operating mode by defining sets (a collection of syscalls, see promises on OpenBSD) as appropiate. You can call Syscalls() as often as needed, but you can only reduce the allow sets from the previous call. The use of an unallowed syscall results in the default action to kill the process and notify about the incident in your kernel syslog. You can avoid this by applying the error set which will return ENOSYS to the calling function.
SyscallsExec is a no-op on linux since Syscalls and Access are inheriting the restriction to it's childs.
func SyscallsExec
deprecated
SyscallsExec is a no-op on linux.
Deprecated: Landlock¹ and seccomp² calls are inherited on Syscalls() with linux.
¹ https://www.kernel.org/doc/html/latest/userspace-api/landlock.html#inheritance ² https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html#usage
Types ¶
This section is empty.