{"id":37132824,"url":"https://github.com/codedokode/guarddog","last_synced_at":"2026-01-14T15:29:47.840Z","repository":{"id":64887806,"uuid":"94721144","full_name":"codedokode/guarddog","owner":"codedokode","description":"An utility that can restrict a program with seccomp-bpf on Linux","archived":false,"fork":false,"pushed_at":"2018-01-25T00:52:03.000Z","size":27,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-06-20T12:40:33.857Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/codedokode.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-06-19T00:26:45.000Z","updated_at":"2024-06-20T12:40:33.858Z","dependencies_parsed_at":"2022-12-17T13:48:28.598Z","dependency_job_id":null,"html_url":"https://github.com/codedokode/guarddog","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/codedokode/guarddog","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codedokode%2Fguarddog","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codedokode%2Fguarddog/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codedokode%2Fguarddog/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codedokode%2Fguarddog/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/codedokode","download_url":"https://codeload.github.com/codedokode/guarddog/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codedokode%2Fguarddog/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28424374,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T13:30:50.153Z","status":"ssl_error","status_checked_at":"2026-01-14T13:29:08.907Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-01-14T15:29:47.331Z","updated_at":"2026-01-14T15:29:47.832Z","avatar_url":"https://github.com/codedokode.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Guarddog\n\n[![Build Status](https://travis-ci.org/codedokode/guarddog.svg?branch=master)](https://travis-ci.org/codedokode/guarddog)\n\nGuarddog is an utility in Go that executes a program while restricting a set of system calls it is allowed to make. Guarddog is also able to chroot(2) into a given directory and change user and group ids before running the program. This is done so that you don't have to put chroot program into the sandbox.\n\nGuarddog uses seccomp(2) with `SECCOMP_SET_MODE_FILTER` option to put a restriction so the kernel must support it. On attempt to make a call not specified in a list of allowed calls the kernel sends a `SIGKILL` signal that terminates the program.\n\n## Installation\n\nYou will need to install: \n\n- golang (tested with `go1.3.3 linux/386`, can be checked with `go version`)\n- gcc (tested with 4.9.2, can be checked with `gcc --version`)\n- pkg-config (tested with 0.28, can be checked with `pkg-config --version`)\n- libseccomp-dev (tested with 2.1.1)\n- strace (tested with 4.9, can be checked with `strace -V`)\n- gdb (optional, if you want to view stack traces from core dumps)\n\nThis program uses [libseccomp](https://github.com/seccomp/libseccomp) so you need to install it beforehands. On Debian or Ubuntu this can be done by running `./scripts/install.sh`. \n\nLocate the source code so that it is inside your Go workspace in the `src/guarddog` directory. For example, you can create a directory `/tmp/go/src/guarddog/` and copy repository contents there. And then run the following command to set GOPATH:\n\n    export GOPATH=/tmp/go/\n\nBy default (for example if you use `go get`) Go will try to install the code into `github.com/codedokode/guarddog` directory and that won't work. Because I don't want to write a github repository URL in every import.\n\nYou also have to download a specific version of libseccomp-golang from https://github.com/seccomp/libseccomp-golang/tree/1b506fc7c24eec5a3693cdcbed40d9c226cfc6a1 (you can download newer versions but they are not guaranteered to work). The git repository contents should be copied to `external/github.com/seccomp/libseccomp-golang/` so that the `README` file is located at `external/github.com/seccomp/libseccomp-golang/README`.\n\nYou can do this by running these commands from the root of the repository: \n\n```sh\ngit clone 'https://github.com/seccomp/libseccomp-golang.git' './external/github.com/seccomp/libseccomp-golang/'\ngit -C './external/github.com/seccomp/libseccomp-golang/' checkout --detach 1b506fc7c24eec5a3693cdcbed40d9c226cfc6a1\n```\n\n## Building\n\nTo build a program you can run `./script/build.sh`. This will create a binary named `guarddog`.\n\n## Testing\n\nThe program contains unit tests. To test a build run `./scripts/run-tests.sh`\n\n## Usage\n\nRun compiled program with `-help` flag to get help:\n\n    ./guarddog -help\n\nBy default no system calls are allowed. You should at least allow `execve` system call or guarddog will be unable to execute a program. You can see the system calls the program is making with `strace` command. \n\nYou can see usage example in file [./scripts/test-sandbox.sh](./scripts/test-sandbox.sh).\n\nCurrent options are: \n\n```\nUsage: ./guarddog [options] -- command [args]\nOptions:\n  -allow=[]: names of system calls to allow, may be used several times\n  -allow-any-syscalls=false: do not apply seccomp syscall filter\n  -allow-root=false: allow program to run as root (by default it would refuse to do it)\n  -chroot-path=\"\": chroot to a directory before executing program\n  -config-file=\"\": read options from this config file. File contains lines like 'some-opti\non = some-value'\n  -dump-syscalls=false: print available syscalls names and numbers for current system\n  -set-gid=0: switch to this GID\n  -set-uid=0: switch to this UID\n  -status-fd=0: file descriptor for logging debug and error messsages, default is stderr (\n2)\n  -trap=false: when making a syscall that is not allowed, send SIGSYS to a program instead\n of SIGKILL. Might be useful for debugging\n  -verbose=false: print debugging information\n```\n\n## TODO \n\n- use GODEBUG https://golang.org/pkg/runtime/\n\n## License\n\nThe program is distributed under [GNU Affero General Public License](https://www.gnu.org/licenses/agpl-3.0.en.html) version 3.0 or higher. The code in the `external/github.com/seccomp` folder is not a part of this program and is under its own license.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcodedokode%2Fguarddog","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcodedokode%2Fguarddog","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcodedokode%2Fguarddog/lists"}