Example #1
0
// Reset resets a filter context, removing all its existing state.
// Accepts a new default action to be taken for syscalls which do not match.
// Returns an error if the filter or action provided are invalid.
func (f *ScmpFilter) Reset(defaultAction ScmpAction) error {
	f.lock.Lock()
	defer f.lock.Unlock()

	if err := sanitizeAction(defaultAction); err != nil {
		return err
	} else if !f.valid {
		return errBadFilter
	}

	retCode := C.seccomp_reset(f.filterCtx, defaultAction.toNative())
	if retCode != 0 {
		return syscall.Errno(-1 * retCode)
	}

	return nil
}
Example #2
0
func Sandbox() {
	//fmt.Printf("Attempting to sandbox...\n")
	ctx := C.seccomp_init2()
	if ctx == nil {
		log.Fatalln("Failed to initialize seccomp!")
	}
	// DO SECCOMP STUFFS
	C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_read)
	C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_write)
	C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_close)
	C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_gettimeofday)
	C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_futex)
	C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_exit_group)
	C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_socket)
	C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_epoll_ctl)
	C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_mmap)
	C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_mprotect)
	C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_munmap)
	C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_accept)
	C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_fcntl)
	C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_getsockname)
	C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_setsockopt)
	C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_rt_sigprocmask)
	C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_clone)
	C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_exit)
	C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_bind)
	C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_pipe)
	C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_listen)
	C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_restart_syscall)
	C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_epoll_create1)

	// Likely unneeded:
	C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_sigaltstack)
	C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_set_robust_list)
	C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_epoll_wait)

	moo := C.seccomp_load(ctx)
	moo = moo

	rc := C.seccomp_reset(ctx, C.SCMP_ACT_KILL)
	if rc < 0 {
		log.Fatalln("Failed to reset seccomp!")
	}
	log.Printf("Started Seccomp Sandbox.")
}