$ docker run --rm -it --security-opt seccomp=/path/to/seccomp/example.json hello-world 5.2 示例2:禁止容器创建文件夹,就可以用黑名单的形式禁用mkdir系统调用 文件名称seccomp_mkdir.json: { "defaultAction": "SCMP_ACT_ALLOW", "syscalls": [ { "name": "mkdir", "action": "SCMP_ACT_ERRNO"...
// main.c /* * seccomp example with syscall reporting * * Copyright (c) 2012 The Chromium OS Authors <chromium-os-dev@chromium.org> * Authors: * Kees Cook <keescook@chromium.org> * Will Drewry <wad@chromium.org> * * Use of this source code is governed by a BSD-style license ...
2005年,Linux 2.6.12中的引入了第一个版本的seccomp,通过向/proc/PID/seccomp接口中写入“1”来启用过滤器,最初只有一个模式:严格模式(strict mode),该模式下只允许被限制的进程使用4种系统调用:read(),write(),_exit(), 和sigreturn(),需要注意的是,open()系统调用也是被禁止的,这就意味着在进入严格模式之...
Example:$ firejail --list 1617:netblue:/usr/bin/firejail /usr/bin/firefox-esr 7719:netblue:/usr/bin/firejail /usr/bin/transmission-qt 7779:netblue:/usr/bin/firejail /usr/bin/galculator 7874:netblue:/usr/bin/firejail /usr/bin/vlc --started-from-file file:///home/netblue/firejail-...
sandbox example in cmd/sandbox.Updating syscalls for new Linux releasesThis package contains a list of syscall numbers that are generated from the Linux sources. Update the git tag here and then run this command to generate the code.docker run -it --rm -v `pwd`:/go-seccomp-bpf -w /go...
Fortunately, since linux 3.5, it is also possible to define advanced custom filters based on the BPF (Berkley Packet Filters). These filters may apply on any of the syscall argument but only on their value. In other words, a filter won’t be able to dereference a pointer. For example on...
NsJail 是一个 Linux 下的进程隔离工具,通过使用命名空间、资源控制和 seccomp-bpf syscall 过滤器子系统实现
Example: # firejail --private-srv=www /etc/init.d/apache2 start --machine-id Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox. Example: $ firejail --machine-id --allow-private-blacklist Allow blacklisting files in private home ...
Example usage Using seccompiler in an application is a two-step process: Compiling filters (into BPF) Installing filters Compiling filters A user application can compile the seccomp filters into loadable BPF either at runtime or at build time. At runtime, the process is straightforward, leveraging...
internal/unix doc.go types_linux.go types_other.go .gitignore CHANGELOG.md LICENSE.txt NOTICE.txt README.md assembler.go catalog-info.yaml constants.go doc.go example_linux_test.go filter.go filter_test.go go.mod go.sum seccomp_linux.go seccomp_linux_test.go seccomp_unsupported.goBreadcrumb...