I'm writing a simple sandbox using Go code as a module, and I need load seccomp rules to limit the system call for the command.
I use os/exec
to run the command but I can't find anyway to load the filter before the command really starts.
I found Docker uses a call to fork, it needs to add code in the program's main
, but if the sandbox is a module, I don't think this is a good way.
In C we can use seccomp like:
int main() {
int pid = fork();
if (pid > 0) {
children();
} else if (pid == 0) {
struct rusage usage{};
int status;
if (wait4(pid, &status, WSTOPPED, &usage) == -1) {
kill(pid, SIGKILL);
}
}
}
void children() {
/* load seccomp filter */
scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL & SCMP_ACT_LOG);
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit), 0);
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sigreturn), 0);
seccomp_load(ctx);
execvp("bash", {"bash"});
}
In Go, I don't have any idea how to do it.
English is not my first language.