Documentation ¶
Overview ¶
Package seccomp contains Seccomp BPF filters and support routines.
Seccomp is highly dependant on architecture. It had cost months to implement a generic Seccomp package but failed. So this package JUST work - do NOT use it outside XDOJ unless you know what you are doing.
This package assume you'd like to use Seccomp filters. So it use prctl(2) to set no_new_privs bit at startup (even before Go runtime initialization). If you have to run setuid programs, unset it, but reset it before installing filter.
XDOJ should only use NoForkFilter and use other techniques to limit system resources other than PGID. But before Linux 4.8 there was an issue so we have to filter out ptrace syscall.
Index ¶
- Constants
- func LoadArch() bpf.Instruction
- func LoadIP(h Half) bpf.Instruction
- func LoadNr() bpf.Instruction
- func LoadReg(n uint32, h Half) bpf.Instruction
- func RetAllow() bpf.Instruction
- func RetErrno(errno uint16) bpf.Instruction
- func RetKillProcess() bpf.Instruction
- func RetKillThread() bpf.Instruction
- func RetLog() bpf.Instruction
- func RetTrace(msg uint16) bpf.Instruction
- func RetTrap(errno uint16) bpf.Instruction
- func SeccompFilter(flags uintptr, filter []bpf.RawInstruction) error
- type Half
- type SockFprog
Constants ¶
const ( EM_SPARC = 2 EM_386 = 3 EM_68K = 4 EM_MIPS = 8 EM_PARISC = 15 EM_PPC = 20 EM_S390 = 22 EM_ARM = 40 EM_SH = 42 EM_SPARCV9 = 43 EM_IA_64 = 50 EM_X86_64 = 62 EM_CRIS = 76 EM_M32R = 88 EM_OPENRISC = 92 EM_AARCH64 = 183 EM_TILEPRO = 188 EM_MICROBLAZE = 189 EM_TILEGX = 191 EM_FRV = 0x5441 EM_ALPHA = 0x9026 )
Some constants from linux/elf-em.h
const ( AuditArch64Bit = 0x80000000 AuditArchLE = 0x40000000 AuditArchN32 = 0x20000000 AuditArchAARCH64 = EM_AARCH64 | AuditArch64Bit | AuditArchLE AuditArchALPHA = EM_ALPHA | AuditArch64Bit | AuditArchLE AuditArchARM = EM_ARM | AuditArchLE AuditArchARMEB = EM_ARM AuditArchCRIS = EM_CRIS | AuditArchLE AuditArchFRV = EM_FRV AuditArchI386 = EM_386 | AuditArchLE AuditArchIA64 = EM_IA_64 | AuditArch64Bit | AuditArchLE AuditArchM32R = EM_M32R AuditArchM68K = EM_68K AuditArchMICROBLAZE = EM_MICROBLAZE AuditArchMIPS = EM_MIPS AuditArchMIPSEL = EM_MIPS | AuditArchLE AuditArchMIPS64 = EM_MIPS | AuditArch64Bit AuditArchMIPS64N32 = AuditArchMIPS64 | AuditArchN32 AuditArchMIPSEL64 = AuditArchMIPS64 | AuditArchLE AuditArchMIPSEL64N32 = AuditArchMIPS64N32 | AuditArchLE AuditArchOPENRISC = EM_OPENRISC AuditArchPARISC = EM_PARISC AuditArchPARISC64 = EM_PARISC | AuditArch64Bit AuditArchPPC = EM_PPC AuditArchPPC64 = EM_PPC | AuditArch64Bit AuditArchPPC64LE = AuditArchPPC64 | AuditArchLE AuditArchS390 = EM_S390 AuditArchS390X = EM_S390 | AuditArch64Bit AuditArchSH = EM_SH AuditArchSHEL = EM_SH | AuditArchLE AuditArchSH64 = EM_SH | AuditArch64Bit AuditArchSHEL64 = AuditArchSHEL | AuditArch64Bit AuditArchSPARC = EM_SPARC AuditArchSPARC64 = EM_SPARCV9 | AuditArch64Bit AuditArchTILEGX = EM_TILEGX | AuditArch64Bit | AuditArchLE AuditArchTILEGX32 = EM_TILEGX | AuditArchLE AuditArchTILEPRO = EM_TILEPRO | AuditArchLE AuditArchX86_64 = EM_X86_64 | AuditArch64Bit | AuditArchLE )
Some value from linux/audit.h
const ( SECCOMP_RET_KILL_PROCESS = 0x80000000 SECCOMP_RET_KILL_THREAD = 0x00000000 SECCOMP_RET_KILL = SECCOMP_RET_KILL_THREAD SECCOMP_RET_TRAP = 0x00030000 SECCOMP_RET_ERRNO = 0x00050000 SECCOMP_RET_TRACE = 0x7ff00000 SECCOMP_RET_LOG = 0x7ffc0000 SECCOMP_RET_ALLOW = 0x7fff0000 )
Some value from linux/seccomp.h
const ( SECCOMP_FILTER_FLAG_TSYNC = 1 SECCOMP_FILTER_FLAG_LOG = 2 )
Variables ¶
This section is empty.
Functions ¶
func LoadArch ¶
func LoadArch() bpf.Instruction
Generate an instruction loading AUDIT_ARCH_* value from seccomp data.
func LoadIP ¶
func LoadIP(h Half) bpf.Instruction
Generate an instruction to load one half of instruction pointer from seccomp data.
func LoadNr ¶
func LoadNr() bpf.Instruction
Generate an instruction loading the system call number from seccomp data.
func LoadReg ¶
func LoadReg(n uint32, h Half) bpf.Instruction
Generate an instruction to load one half of a 64-bit register from seccomp data.
func RetErrno ¶
func RetErrno(errno uint16) bpf.Instruction
Generate an instruction to return an errno for the system call, without executing it.
func RetKillProcess ¶
func RetKillProcess() bpf.Instruction
Generate an instruction to kill the process.
func RetKillThread ¶
func RetKillThread() bpf.Instruction
Generate an instruction to kill the thread.
func RetLog ¶
func RetLog() bpf.Instruction
Allow the system call being executed after the filter return action is logged.
func RetTrace ¶
func RetTrace(msg uint16) bpf.Instruction
Generate an instruction to notify a ptrace-based tracer prior to executing the system call. The tracer can use PTRACE_GETEVENTMSG to get the msg value.
func RetTrap ¶
func RetTrap(errno uint16) bpf.Instruction
Generate an instruction to send a catchable SIGSYS signal to the process, and set the si_errno field of the siginfo_t structure to errno.
func SeccompFilter ¶
func SeccompFilter(flags uintptr, filter []bpf.RawInstruction) error
Install a seccomp filter.
Types ¶
type SockFprog ¶
type SockFprog struct { Len uint16 Filter *bpf.RawInstruction // contains filtered or unexported fields }
func NewSockFprog ¶
func NewSockFprog(insn []bpf.RawInstruction) (*SockFprog, error)
Create a SockFprog instance which can be used with seccomp syscall.