seccomp

package module
v0.0.0-...-ea76662 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 17, 2019 License: AGPL-3.0 Imports: 5 Imported by: 1

README

seccomp

A minimal and native seccomp package for Go.

Documentation

Overview

Package seccomp contains Seccomp BPF filters and support routines.

Seccomp is highly dependant on architecture. It had cost months to implement a generic Seccomp package but failed. So this package JUST work - do NOT use it outside XDOJ unless you know what you are doing.

This package assume you'd like to use Seccomp filters. So it use prctl(2) to set no_new_privs bit at startup (even before Go runtime initialization). If you have to run setuid programs, unset it, but reset it before installing filter.

XDOJ should only use NoForkFilter and use other techniques to limit system resources other than PGID. But before Linux 4.8 there was an issue so we have to filter out ptrace syscall.

Index

Constants

View Source 
const (
	EM_SPARC      = 2
	EM_386        = 3
	EM_68K        = 4
	EM_MIPS       = 8
	EM_PARISC     = 15
	EM_PPC        = 20
	EM_S390       = 22
	EM_ARM        = 40
	EM_SH         = 42
	EM_SPARCV9    = 43
	EM_IA_64      = 50
	EM_X86_64     = 62
	EM_CRIS       = 76
	EM_M32R       = 88
	EM_OPENRISC   = 92
	EM_AARCH64    = 183
	EM_TILEPRO    = 188
	EM_MICROBLAZE = 189
	EM_TILEGX     = 191
	EM_FRV        = 0x5441
	EM_ALPHA      = 0x9026
)

Some constants from linux/elf-em.h

View Source 
const (
	AuditArch64Bit = 0x80000000
	AuditArchLE    = 0x40000000
	AuditArchN32   = 0x20000000

	AuditArchAARCH64     = EM_AARCH64 | AuditArch64Bit | AuditArchLE
	AuditArchALPHA       = EM_ALPHA | AuditArch64Bit | AuditArchLE
	AuditArchARM         = EM_ARM | AuditArchLE
	AuditArchARMEB       = EM_ARM
	AuditArchCRIS        = EM_CRIS | AuditArchLE
	AuditArchFRV         = EM_FRV
	AuditArchI386        = EM_386 | AuditArchLE
	AuditArchIA64        = EM_IA_64 | AuditArch64Bit | AuditArchLE
	AuditArchM32R        = EM_M32R
	AuditArchM68K        = EM_68K
	AuditArchMICROBLAZE  = EM_MICROBLAZE
	AuditArchMIPS        = EM_MIPS
	AuditArchMIPSEL      = EM_MIPS | AuditArchLE
	AuditArchMIPS64      = EM_MIPS | AuditArch64Bit
	AuditArchMIPS64N32   = AuditArchMIPS64 | AuditArchN32
	AuditArchMIPSEL64    = AuditArchMIPS64 | AuditArchLE
	AuditArchMIPSEL64N32 = AuditArchMIPS64N32 | AuditArchLE
	AuditArchOPENRISC    = EM_OPENRISC
	AuditArchPARISC      = EM_PARISC
	AuditArchPARISC64    = EM_PARISC | AuditArch64Bit
	AuditArchPPC         = EM_PPC
	AuditArchPPC64       = EM_PPC | AuditArch64Bit
	AuditArchPPC64LE     = AuditArchPPC64 | AuditArchLE
	AuditArchS390        = EM_S390
	AuditArchS390X       = EM_S390 | AuditArch64Bit
	AuditArchSH          = EM_SH
	AuditArchSHEL        = EM_SH | AuditArchLE
	AuditArchSH64        = EM_SH | AuditArch64Bit
	AuditArchSHEL64      = AuditArchSHEL | AuditArch64Bit
	AuditArchSPARC       = EM_SPARC
	AuditArchSPARC64     = EM_SPARCV9 | AuditArch64Bit
	AuditArchTILEGX      = EM_TILEGX | AuditArch64Bit | AuditArchLE
	AuditArchTILEGX32    = EM_TILEGX | AuditArchLE
	AuditArchTILEPRO     = EM_TILEPRO | AuditArchLE
	AuditArchX86_64      = EM_X86_64 | AuditArch64Bit | AuditArchLE
)

Some value from linux/audit.h

View Source 
const (
	SECCOMP_RET_KILL_PROCESS = 0x80000000
	SECCOMP_RET_KILL_THREAD  = 0x00000000
	SECCOMP_RET_KILL         = SECCOMP_RET_KILL_THREAD
	SECCOMP_RET_TRAP         = 0x00030000
	SECCOMP_RET_ERRNO        = 0x00050000
	SECCOMP_RET_TRACE        = 0x7ff00000
	SECCOMP_RET_LOG          = 0x7ffc0000
	SECCOMP_RET_ALLOW        = 0x7fff0000
)

Some value from linux/seccomp.h

View Source 
const (
	SECCOMP_FILTER_FLAG_TSYNC = 1
	SECCOMP_FILTER_FLAG_LOG   = 2
)

Variables

This section is empty.

Functions

func LoadArch 

func LoadArch() bpf.Instruction

Generate an instruction loading AUDIT_ARCH_* value from seccomp data.

func LoadIP 

func LoadIP(h Half) bpf.Instruction

Generate an instruction to load one half of instruction pointer from seccomp data.

func LoadNr 

func LoadNr() bpf.Instruction

Generate an instruction loading the system call number from seccomp data.

func LoadReg 

func LoadReg(n uint32, h Half) bpf.Instruction

Generate an instruction to load one half of a 64-bit register from seccomp data.

func RetAllow 

func RetAllow() bpf.Instruction

Generate an instruction to allow the system call.

func RetErrno 

func RetErrno(errno uint16) bpf.Instruction

Generate an instruction to return an errno for the system call, without executing it.

func RetKillProcess 

func RetKillProcess() bpf.Instruction

Generate an instruction to kill the process.

func RetKillThread 

func RetKillThread() bpf.Instruction

Generate an instruction to kill the thread.

func RetLog 

func RetLog() bpf.Instruction

Allow the system call being executed after the filter return action is logged.

func RetTrace 

func RetTrace(msg uint16) bpf.Instruction

Generate an instruction to notify a ptrace-based tracer prior to executing the system call. The tracer can use PTRACE_GETEVENTMSG to get the msg value.

func RetTrap 

func RetTrap(errno uint16) bpf.Instruction

Generate an instruction to send a catchable SIGSYS signal to the process, and set the si_errno field of the siginfo_t structure to errno.

func SeccompFilter 

func SeccompFilter(flags uintptr, filter []bpf.RawInstruction) error

Install a seccomp filter.

Types

type Half 

type Half uint32

Mark a half of a 64-bit register. 

const (
	Low  Half = 0
	High Half = 4
)

type SockFprog 

type SockFprog struct {
	Len uint16

	Filter *bpf.RawInstruction
	// contains filtered or unexported fields
}

func NewSockFprog 

func NewSockFprog(insn []bpf.RawInstruction) (*SockFprog, error)

Create a SockFprog instance which can be used with seccomp syscall.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.