Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- package main
- import (
- "errors"
- "log"
- "os/exec"
- "syscall"
- "unsafe"
- )
- // Checkout google/kafel in this dir and build libkafel.a.
- // #cgo CFLAGS: -I${SRCDIR}/kafel/include
- // #cgo LDFLAGS: -L${SRCDIR}/kafel -lkafel
- // #include <linux/filter.h>
- // #include <linux/seccomp.h>
- // #include <sys/prctl.h>
- // #include <stdlib.h>
- // #include <kafel.h>
- import "C"
- const killPolicy = `POLICY a { KILL { execve, clone, fork } } USE a DEFAULT ALLOW`
- const errorPolicy = `POLICY a { ERRNO(1) { execve, clone, fork } } USE a DEFAULT ALLOW`
- func main() {
- prog, err := BuildSeccompBPFFilter(errorPolicy)
- if err != nil {
- log.Fatal(err)
- }
- if err := NoNewPrivs(); err != nil {
- log.Fatal(err)
- }
- if err := InstallSeccomp(prog); err != nil {
- log.Fatal(err)
- }
- log.Println("seccomp filter installed")
- log.Println("attempting to exec")
- out, err := exec.Command("ls", "-la").Output()
- if err != nil {
- log.Fatal("exec failed", err)
- }
- log.Println("cmd output:", string(out))
- log.Println("Done")
- }
- // Build filter.
- func BuildSeccompBPFFilter(policy string) (*C.struct_sock_fprog, error) {
- policyPtr := C.CString(policy)
- defer C.free(unsafe.Pointer(policyPtr))
- prog := C.struct_sock_fprog{}
- if rc := C.kafel_compile_string(policyPtr, &prog); rc != 0 {
- return nil, errors.New("policy compilation failed")
- }
- return &prog, nil
- }
- // NoNewPrivs will use prctl to stop new privileges using native methods
- func NoNewPrivs() error {
- return prctl(C.PR_SET_NO_NEW_PRIVS, 1)
- }
- // InstallSeccomp will install seccomp using native methods.
- func InstallSeccomp(prog *C.struct_sock_fprog) error {
- return seccomp(C.SECCOMP_SET_MODE_FILTER, C.SECCOMP_FILTER_FLAG_TSYNC, unsafe.Pointer(prog))
- }
- // seccomp syscall wrapper.
- func seccomp(op, flags uintptr, uargs unsafe.Pointer) error {
- // This is an amd64 specific syscall number.
- _, _, e := syscall.Syscall(uintptr(317), op, flags, uintptr(uargs))
- if e != 0 {
- return e
- }
- return nil
- }
- // prctl syscall wrapper.
- func prctl(option uintptr, args ...uintptr) error {
- if len(args) > 4 {
- return syscall.E2BIG
- }
- var arg [4]uintptr
- copy(arg[:], args)
- _, _, e := syscall.Syscall6(syscall.SYS_PRCTL, option, arg[0], arg[1], arg[2], arg[3], 0)
- if e != 0 {
- return e
- }
- return nil
- }
- // Sample output:
- // 2017/09/20 20:06:13 seccomp filter installed
- // 2017/09/20 20:06:13 attempting to exec
- // 2017/09/20 20:06:13 exec failedfork/exec /bin/ls: operation not permitted
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement