{"id":23583882,"url":"https://github.com/discue/go-syscall-gatekeeper-cli","last_synced_at":"2025-11-02T23:30:36.533Z","repository":{"id":260897613,"uuid":"882265247","full_name":"discue/go-syscall-gatekeeper-cli","owner":"discue","description":null,"archived":false,"fork":false,"pushed_at":"2025-02-11T06:08:27.000Z","size":2277,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-02-11T07:22:36.510Z","etag":null,"topics":["discue","gatekeeper","go","golang","ptrace","seccomp"],"latest_commit_sha":null,"homepage":"https://www.discue.io","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/discue.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-11-02T10:56:05.000Z","updated_at":"2025-02-11T06:08:25.000Z","dependencies_parsed_at":null,"dependency_job_id":"ff91afc7-086a-4569-9125-b0f02918a646","html_url":"https://github.com/discue/go-syscall-gatekeeper-cli","commit_stats":{"total_commits":101,"total_committers":2,"mean_commits":50.5,"dds":0.00990099009900991,"last_synced_commit":"16009c8aa9292d67dbcf57a17288ff53c0409569"},"previous_names":["discue/go-syscall-gatekeeper","discue/go-syscall-gatekeeper-cli"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/discue%2Fgo-syscall-gatekeeper-cli","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/discue%2Fgo-syscall-gatekeeper-cli/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/discue%2Fgo-syscall-gatekeeper-cli/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/discue%2Fgo-syscall-gatekeeper-cli/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/discue","download_url":"https://codeload.github.com/discue/go-syscall-gatekeeper-cli/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":239403420,"owners_count":19632583,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["discue","gatekeeper","go","golang","ptrace","seccomp"],"created_at":"2024-12-27T02:17:59.843Z","updated_at":"2025-11-02T23:30:36.502Z","avatar_url":"https://github.com/discue.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\n\u003cp align=\"center\"\u003e\u003ca href=\"https://www.discue.io/\" target=\"_blank\" rel=\"noopener noreferrer\"\u003e\u003cimg width=\"256\" src=\"https://www.discue.io/icons-fire-no-badge-square/web/icon-192.png\" alt=\"Vue logo\"\u003e\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr/\u003e\n\u003cdiv align=\"center\"\u003e\n\n[![contributions - welcome](https://img.shields.io/badge/contributions-welcome-blue/green)](/CONTRIBUTING.md \"Go to contributions doc\")\n[![GitHub License](https://img.shields.io/github/license/discue/go-syscall-gatekeeper.svg)](https://github.com/discue/go-syscall-gatekeeper-cli/blob/master/LICENSE)\n\u003cbr/\u003e\n[![Go Report Card](https://goreportcard.com/badge/github.com/discue/go-syscall-gatekeeper)](https://goreportcard.com/report/github.com/discue/go-syscall-gatekeeper)\n[![Go](https://img.shields.io/github/go-mod/go-version/discue/go-syscall-gatekeeper-cli\n)](https://github.com/discue/go-syscall-gatekeeper-cli/blob/main/go.mod)\n\u003cbr/\u003e\n[![lints](https://github.com/discue/go-syscall-gatekeeper-cli/actions/workflows/lints.yml/badge.svg)](https://github.com/discue/go-syscall-gatekeeper-cli/actions/workflows/lints.yml)\n[![tests](https://github.com/discue/go-syscall-gatekeeper-cli/actions/workflows/tests.yml/badge.svg)](https://github.com/discue/go-syscall-gatekeeper-cli/actions/workflows/tests.yml)\n\u003c/div\u003e\n\n\u003cbr/\u003e\n\n# go-syscall-gatekeeper\nGo process manager that can be used to \n- start other processes and control their lifecycle,\n- watch the status of the started process and return appropriate exit codes,\n- and, most importantly, **trace and limit the syscalls of the started process**. \n\nThis allows you to start trusted and untrusted applications e.g. go, python, node apps and limit their access to the file system, or to the network. With simple command line flags you can easily grant permissions to the started process.\n\n## 🤝 Examples\nThis section shows some examples of how processes can be started with different level of permissions and... success. See below, how the `curl` command is failing until both filesystem and network permissions are granted.\n\nWhile it's obvious, why `curl` needs network permissions, the filesystem permissions are necessary to read e.g. configuration files and shared libraries.\n\n### ❌ No filesystem permissions\nIn this case, `curl` is only started with a default set of permissions. The command fails because, access to the filesystem gets denied.\n```bash\n$ gatekeeper run curl -v google.com\n[...]\nSyscall not allowed: access\nenter [pid 4855] access (/etc/ld.so.preload)\nPID 4855 exited from signal SIGKILL (killed) (9)\nExiting with code 111\nexit status 111\n```\n\n### ❌ With filesystem permissions, but no permission to access network\nIn this second case, `curl` is started with a default set of permissions and **read access for the file system**. The command still fails because access to the network-related socket syscall gets denied.\n```bash\n$ gatekeeper run --allow-file-system-read curl -v google.com\n[...]\nSyscall not allowed: socket\nenter [pid 4996] socket\nPID 4996 exited from signal SIGKILL (killed) (9)\nExiting with code 111\nexit status 111\n```\n\n### ✅ With filesystem and network permissions\nIn this final case, `curl` is started with read access to the filesystem **and** network. The command then exits with success.\n```bash\n$ gatekeeper run --allow-file-system-read --allow-network-client curl -v google.com\n[...]\n\u003cHTML\u003e\u003cHEAD\u003e\u003cmeta http-equiv=\"content-type\" content=\"text/html;charset=utf-8\"\u003e\n\u003cTITLE\u003e301 Moved\u003c/TITLE\u003e\u003c/HEAD\u003e\u003cBODY\u003e\n\u003cH1\u003e301 Moved\u003c/H1\u003e\nThe document has moved\n\u003cA HREF=\"http://www.google.com/\"\u003ehere\u003c/A\u003e.\n\u003c/BODY\u003e\u003c/HTML\u003e\n[...]\nPID 5255 exited from exit status 0 (code = 0)\nExiting with code 0\n```\n\n## 📦 Installation\nInstall the package:\n\n```bash\ngo get https://github.com/discue/go-syscall-gatekeeper\n```\n\n## 🔣 Usage\n```bash\n./gatekeeper [run|trace] [binary] [args...]\n```\n### 🚀 Run\nThe `run` subcommand runs the given command without any syscall restrictions. This is as good as calling the target program directly.\n\n```bash\n./gatekeeper run ls -l\n```\n\n### 🤺 Permissions\nYou can pass the following flags:\n- `--allow-file-system-read` to allow the started process to read from the file system,\n- `--allow-file-system-write` to allow the started process to write to the file system,\n- `--allow-network-client` to allow the started process to open sockets and open connections to other servers,\n- `--allow-network-server` to allow the started process to listen on ports and accept incoming connections.\n\n### 🔎 Trace\nThe `trace` subcommand run the given binary and traces the syscalls. In this case, the `gatekeeper` will \n\n```bash\n./gatekeeper trace ls -l\n```\n\n## 🧪 Running Tests\nTo run tests, run the following command\n\n```bash\n./test.sh\n```\n\n## 📄 License\n[BSD 3-Clause](https://choosealicense.com/licenses/bsd-3-clause/)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdiscue%2Fgo-syscall-gatekeeper-cli","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdiscue%2Fgo-syscall-gatekeeper-cli","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdiscue%2Fgo-syscall-gatekeeper-cli/lists"}