API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Sep 20th, 2017
53
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.37 KB | None | 0 0
raw download clone embed print report
  1. package main
  2.  
  3. import (
  4. "errors"
  5. "log"
  6. "os/exec"
  7. "syscall"
  8. "unsafe"
  9. )
  10.  
  11. // Checkout google/kafel in this dir and build libkafel.a.
  12.  
  13. // #cgo CFLAGS: -I${SRCDIR}/kafel/include
  14. // #cgo LDFLAGS: -L${SRCDIR}/kafel -lkafel
  15. // #include <linux/filter.h>
  16. // #include <linux/seccomp.h>
  17. // #include <sys/prctl.h>
  18. // #include <stdlib.h>
  19. // #include <kafel.h>
  20. import "C"
  21.  
  22. const killPolicy = `POLICY a { KILL { execve, clone, fork } } USE a DEFAULT ALLOW`
  23. const errorPolicy = `POLICY a { ERRNO(1) { execve, clone, fork } } USE a DEFAULT ALLOW`
  24.  
  25. func main() {
  26. prog, err := BuildSeccompBPFFilter(errorPolicy)
  27. if err != nil {
  28. log.Fatal(err)
  29. }
  30.  
  31. if err := NoNewPrivs(); err != nil {
  32. log.Fatal(err)
  33. }
  34.  
  35. if err := InstallSeccomp(prog); err != nil {
  36. log.Fatal(err)
  37. }
  38. log.Println("seccomp filter installed")
  39.  
  40. log.Println("attempting to exec")
  41. out, err := exec.Command("ls", "-la").Output()
  42. if err != nil {
  43. log.Fatal("exec failed", err)
  44. }
  45. log.Println("cmd output:", string(out))
  46.  
  47. log.Println("Done")
  48. }
  49.  
  50. // Build filter.
  51. func BuildSeccompBPFFilter(policy string) (*C.struct_sock_fprog, error) {
  52. policyPtr := C.CString(policy)
  53. defer C.free(unsafe.Pointer(policyPtr))
  54. prog := C.struct_sock_fprog{}
  55.  
  56. if rc := C.kafel_compile_string(policyPtr, &prog); rc != 0 {
  57. return nil, errors.New("policy compilation failed")
  58. }
  59.  
  60. return &prog, nil
  61. }
  62.  
  63. // NoNewPrivs will use prctl to stop new privileges using native methods
  64. func NoNewPrivs() error {
  65. return prctl(C.PR_SET_NO_NEW_PRIVS, 1)
  66. }
  67.  
  68. // InstallSeccomp will install seccomp using native methods.
  69. func InstallSeccomp(prog *C.struct_sock_fprog) error {
  70. return seccomp(C.SECCOMP_SET_MODE_FILTER, C.SECCOMP_FILTER_FLAG_TSYNC, unsafe.Pointer(prog))
  71. }
  72.  
  73. // seccomp syscall wrapper.
  74. func seccomp(op, flags uintptr, uargs unsafe.Pointer) error {
  75. // This is an amd64 specific syscall number.
  76. _, _, e := syscall.Syscall(uintptr(317), op, flags, uintptr(uargs))
  77. if e != 0 {
  78. return e
  79. }
  80. return nil
  81. }
  82.  
  83. // prctl syscall wrapper.
  84. func prctl(option uintptr, args ...uintptr) error {
  85. if len(args) > 4 {
  86. return syscall.E2BIG
  87. }
  88. var arg [4]uintptr
  89. copy(arg[:], args)
  90. _, _, e := syscall.Syscall6(syscall.SYS_PRCTL, option, arg[0], arg[1], arg[2], arg[3], 0)
  91. if e != 0 {
  92. return e
  93. }
  94. return nil
  95. }
  96.  
  97. // Sample output:
  98. // 2017/09/20 20:06:13 seccomp filter installed
  99. // 2017/09/20 20:06:13 attempting to exec
  100. // 2017/09/20 20:06:13 exec failedfork/exec /bin/ls: operation not permitted
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!