// Reset resets a filter context, removing all its existing state. // Accepts a new default action to be taken for syscalls which do not match. // Returns an error if the filter or action provided are invalid. func (f *ScmpFilter) Reset(defaultAction ScmpAction) error { f.lock.Lock() defer f.lock.Unlock() if err := sanitizeAction(defaultAction); err != nil { return err } else if !f.valid { return errBadFilter } retCode := C.seccomp_reset(f.filterCtx, defaultAction.toNative()) if retCode != 0 { return syscall.Errno(-1 * retCode) } return nil }
func Sandbox() { //fmt.Printf("Attempting to sandbox...\n") ctx := C.seccomp_init2() if ctx == nil { log.Fatalln("Failed to initialize seccomp!") } // DO SECCOMP STUFFS C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_read) C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_write) C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_close) C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_gettimeofday) C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_futex) C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_exit_group) C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_socket) C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_epoll_ctl) C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_mmap) C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_mprotect) C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_munmap) C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_accept) C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_fcntl) C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_getsockname) C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_setsockopt) C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_rt_sigprocmask) C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_clone) C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_exit) C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_bind) C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_pipe) C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_listen) C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_restart_syscall) C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_epoll_create1) // Likely unneeded: C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_sigaltstack) C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_set_robust_list) C.seccomp_filter_call(ctx, C.SCMP_ACT_ALLOW, C.__NR_epoll_wait) moo := C.seccomp_load(ctx) moo = moo rc := C.seccomp_reset(ctx, C.SCMP_ACT_KILL) if rc < 0 { log.Fatalln("Failed to reset seccomp!") } log.Printf("Started Seccomp Sandbox.") }