Comments (7)
I have recently built a tool that goes through the execution path of go applications and extract all syscalls it finds. On this source code:
package main
import "fmt"
func main() {
fmt.Println("test")
}
this is what it extracts:
"sched_yield",
"futex",
"write",
"mmap",
"exit_group",
"madvise",
"rt_sigprocmask",
"getpid",
"gettid",
"tgkill",
"rt_sigaction",
"read",
"getpgrp",
"arch_prctl",
here's how to use it:
go install https://github.com/pjbgf/gosystract
gosystract --template='{{- range . }}{{printf "\"%s\",\n" .Name}}{{- end}}' application-path
from libseccomp-golang.
Add to that list gettid
and sched_getaffinity
at a minimum, probably nanosleep
and getpid
. If you're using any of the Golang concurrency primitives you probably hit a sched_yield
or two as well.
from libseccomp-golang.
Yes, my list is for a tiny program that doesn't do much.
I'm not sure if nanosleep
needs to be explicitly allowed. I followed this example and without whitelisting nanosleep
I can still see it allowed in strace
.
from libseccomp-golang.
I'm fairly certain Go uses it internally in the runtime for scheduling Goroutines, so while you can probably get away without it for trivial programs, I wouldn't recommend leaving it out.
(I'm also quite certain blacklisting it does block it - I used it extensively as a testcase while developing the bindings. Very easy to call fork off a sleep
and see whether it takes milliseconds or seconds to return)
from libseccomp-golang.
A default list would certainly be useful since to come up with one isn't trivial.
Just running the program under strace and collecting the observed syscalls isn't sufficient.
In my experience, even running the program with the same input several times in a row gives a different sets of syscalls, e.g. mprotect
and set_robust_list
don't necessarily turn up always.
And then there are non-regular circumstances that lead to syscalls you don't see usually such as restart_syscall
which is executed only if you manage to send a signal that interrupts your program during a syscall.
In can confirm that nanosleep
definitely needs to be whitelisted as it's called a lot, at least if you use Go routines. Not whitelisting it definitely yields a seccomp action.
On the other hand, I haven't seen rt_sigreturn
so far.
Ideally one would have a look at the Go runtime code and grep the syscalls out of it.
Since Go statically links everything (unless you import a module with C bindings), the syscalls in the resulting binary should contain all the syscalls the program and the Go runtime does. And not much else since one should expect that Go eliminates dead runtime code.
I've done this for a medium size Go program of mine (gonzofilter, cf. its whitelist) which does a bit file IO, uses Go routines and does a lot of lexing and parsing:
Get syscall table:
curl -O https://raw.githubusercontent.com/torvalds/linux/v5.6/arch/x86/entry/syscalls/syscall_64.tbl
Get all direct syscalls:
join <(objdump -d gonzofilter -Mintel | grep 'syscall ' -B1 | grep eax | cut -f2 -d, \
| sort -u | awk '{printf("%d\n", strtonum($1));}' | sort -k1,1) \
<(awk '/^[0-9]/ {print $1, $3}' syscall_64.tbl | sort -k1,1) | sort -k1,1 -n > l1
Get all indirect syscalls (i.e. via syscall.Syscall
and syscall.Syscall6
):
join <(objdump -d gonzofilter -Mintel | grep 'call .*Syscall' -B18 \
| grep '\[rsp\]\|Syscall' | grep QWORD | cut -f2 -d, | sort -u \
| awk '{printf("%d\n", strtonum($1));}' | sort -k1,1) \
<(awk '/^[0-9]/ {print $1, $3}' syscall_64.tbl | sort -k1,1) | sort -k1,1 -n > l2
Combined I get this list:
clone
close
epoll_create
epoll_create1
epoll_ctl
epoll_pwait
exit
exit_group
fcntl
fdatasync
flock
fstat
fsync
ftruncate
futex
getpid
gettid
kill
lseek
madvise
mincore
mmap
munmap
nanosleep
openat
pread64
pwrite64
read
readlinkat
rt_sigaction
rt_sigprocmask
sched_getaffinity
sched_yield
setitimer
tgkill
write
When I link against a module with C bindings (such as this libseccomp module), of course, there are some additional syscall originating from the shared libraries (e.g. libc+libpthread+libseccomp).
from libseccomp-golang.
This is a moving target, meaning any new golang releases and/or Linux kernel releases can add more system calls.
from libseccomp-golang.
I agree with @kolyshkin, trying to maintain a default list of syscalls is going to be extremely difficult. Maybe someday we could revisit this idea, but at this point in time I think this needs to be a WONTFIX.
from libseccomp-golang.
Related Issues (20)
- RFE: drop libseccomp < 2.5.0 support HOT 2
- Q: Is there any way for the NotifReceive function to endοΌ HOT 6
- Check negative value in GetSyscallFromName
- BUG: rename the "master" branch to "main" #255 HOT 2
- BUG: documented CompareMaskedEqual value order incorrect HOT 3
- RFE: add support for RISCV64 HOT 2
- Q: Is there a way to handle SIGSYS/ActTrap in go code? HOT 4
- Q: cut a new release HOT 6
- RFE: add seccomp notifier support HOT 5
- BUG: look into replacing Travis CI with GitHub actions HOT 4
- BUG: test failure on ppc64le HOT 21
- BUG: Replace TravisCI Badge with Github Actions Badge HOT 2
- RFE: add release process document HOT 1
- Q: please cut a 0.9.1.1 release with RISC-V support HOT 1
- Q: Ubuntu 20.04 with installed libseccomp-dev libraries HOT 2
- BUG: missing security policy
- ADMIN: add Kir Kolyshkin as a maintainer HOT 12
- Q: enable seccomp notify for API level 5, linux kernel 5.6 and below HOT 4
- BUG: unable to compile on Archlinux HOT 10
- BUG: updated README.md to include the first signed release tag version HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from libseccomp-golang.