go-seccomp-bpf is a library for Go (golang) for loading a system call filter on Linux 3.17 and later by taking advantage of secure computing mode, also known as seccomp. Seccomp restricts the system calls that a process can invoke.
The kernel exposes a large number of system calls that are not used by most processes. By installing a seccomp filter, you can limit the total kernel surface exposed to a process (principle of least privilege). This minimizes the impact of unknown vulnerabilities that might be found in the process.
The filter is expressed as a Berkeley Packet Filter (BPF) program. The BPF program is generated based on a filter policy created by you.
- Requires Linux 3.17 because it uses the
seccompsyscall in order to take advantage of theSECCOMP_FILTER_FLAG_TSYNCflag to sync the filter to all threads.
- Pure Go and does not have a libseccomp dependency.
- Filters are customizable and can be written as an allowlist or blocklist.
- Supports system call argument filtering.
- Uses
SECCOMP_FILTER_FLAG_TSYNCto sync the filter to all threads created by the Go runtime. - Invokes
prctl(PR_SET_NO_NEW_PRIVS, 1)to set the threadsno_new_privsbit which is generally required before loading a seccomp filter. - seccomp-profiler tool for automatically generating a allowlist policy based on the system calls that a binary uses.
- System call tables are only implemented for 386, amd64, arm and arm64. (More system call table generation code should be added to arch/mk_syscalls_linux.go.)
- GoDoc Package Example
sandboxexample in cmd/sandbox.
This package contains a list of syscall numbers that are generated from the Linux sources. Update the git tag here and then run this command to generate the code.
docker run -it --rm -v `pwd`:/go-seccomp-bpf -w /go-seccomp-bpf/arch golang:1.23.0 go generatePlease open a PR to submit your project.