I would like to know if it is possible to install a seccomp filter in a child process in a Go program. Currently I am spawning the child process as follows:
cmd := exec.Command(target)
cmd.Stdout = os.Stdout
cmd.Stdin = os.Stdin
cmd.Stderr = os.Stderr
cmd.SysProcAttr = &unix.SysProcAttr{
Ptrace: true,
}
cmd.Start()
cmd.Wait()
This works fine, and SysProcAttr
provides a mechanism to enable Ptrace in the child process. However, there doesn't seem to be any support for also installing seccomp filters in the child. I know about https://github.com/elastic/go-seccomp-bpf and https://github.com/seccomp/libseccomp-golang but these libraries appear to only support installing seccomp filters in the current process (and any children that are spawned from the current process). I only want to install the filters in the child, not the parent, because I don't want the parent to be sandboxed as well.
In C, the mechanism to install a seccomp filter in a child process would be to fork, install the filter in the current process (from in the child), and then exec. However, it doesn't seem like there is support for separating fork and exec like this in Go. Is there any way around this, or do I need to use C to do this properly?
Could SysProcAttr
be extended to allow seccomp filters, or allow running arbitrary code after the fork and before the exec (at some point I assume it calls fork and then exec)? How would I go about implementing this?
I solved this issue by using the
forkexec
package from here: https://godoc.org/github.com/criyle/go-sandbox/pkg/forkexec andelastic/go-seccomp-bpf
. Seccomp filters can be installed like so:This requires some extra functions using the
criyle/go-sandbox/pkg/seccomp
package.