2

I'm writing a simple sandbox using Go code as a module, and I need load seccomp rules to limit the system call for the command.

I use os/exec to run the command but I can't find anyway to load the filter before the command really starts.

I found Docker uses a call to fork, it needs to add code in the program's main, but if the sandbox is a module, I don't think this is a good way.

In C we can use seccomp like:

int main() {
    int pid = fork();
    if (pid > 0) {
        children();
    } else if (pid == 0) {
        struct rusage usage{};
        int status;
        if (wait4(pid, &status, WSTOPPED, &usage) == -1) {
           kill(pid, SIGKILL);
        }
    }
}

void children() {
    /* load seccomp filter */
    scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL & SCMP_ACT_LOG);
    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);
    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);
    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit), 0);
    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sigreturn), 0);
    seccomp_load(ctx);

    execvp("bash", {"bash"});
}

In Go, I don't have any idea how to do it.

English is not my first language.

Dave C
  • 7,729
  • 4
  • 49
  • 65
boxjan
  • 33
  • 3
  • Why not use the [`github.com/seccomp/libseccomp-golang`](https://godoc.org/github.com/seccomp/libseccomp-golang) Go package? – Dave C Jul 30 '19 at 13:45
  • The normal unix way to run an arbitrary command with some special setup without doing it in the command's code path is via a helper utility that does the setup before `exec`ing the actual command. Examples of such helper tools include [`env`](https://linux.die.net/man/1/env), [`daemonize`](https://linux.die.net/man/1/daemonize), [`stdbuf`](https://linux.die.net/man/1/stdbuf), etc; I don't know if such a helper exists for seccomp. – Dave C Jul 30 '19 at 13:57
  • I have been check about libsccomp-golang, the package will limit parent to limit child, but parent should not be limit, it will collect the resource usage or other things. So maybe not a good way. – boxjan Jul 30 '19 at 14:25

0 Answers0