{"id":15044544,"url":"https://github.com/elastic/go-seccomp-bpf","last_synced_at":"2025-04-11T23:19:53.412Z","repository":{"id":31966328,"uuid":"130945618","full_name":"elastic/go-seccomp-bpf","owner":"elastic","description":"Go library for installing a seccomp BPF system call filter.","archived":false,"fork":false,"pushed_at":"2025-03-25T11:13:38.000Z","size":138,"stargazers_count":82,"open_issues_count":2,"forks_count":20,"subscribers_count":214,"default_branch":"main","last_synced_at":"2025-04-11T23:19:48.257Z","etag":null,"topics":["golang","seccomp","seccomp-bpf-policies"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/elastic.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-04-25T03:27:31.000Z","updated_at":"2025-03-25T11:13:42.000Z","dependencies_parsed_at":"2023-01-14T20:13:18.989Z","dependency_job_id":"e97f9dad-8d16-45da-95c9-6f3dad4b40eb","html_url":"https://github.com/elastic/go-seccomp-bpf","commit_stats":{"total_commits":47,"total_committers":11,"mean_commits":"4.2727272727272725","dds":0.3829787234042553,"last_synced_commit":"3540ecc935a9e0706a5140a4e8c691708c436365"},"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elastic%2Fgo-seccomp-bpf","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elastic%2Fgo-seccomp-bpf/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elastic%2Fgo-seccomp-bpf/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elastic%2Fgo-seccomp-bpf/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/elastic","download_url":"https://codeload.github.com/elastic/go-seccomp-bpf/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248492886,"owners_count":21113163,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["golang","seccomp","seccomp-bpf-policies"],"created_at":"2024-09-24T20:50:42.339Z","updated_at":"2025-04-11T23:19:53.379Z","avatar_url":"https://github.com/elastic.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# go-seccomp-bpf\n\n[![Go Report\nCard](https://goreportcard.com/badge/github.com/elastic/go-seccomp-bpf)](https://goreportcard.com/report/github.com/elastic/go-seccomp-bpf)\n[![Contributors](https://img.shields.io/github/contributors/elastic/go-seccomp-bpf.svg)](https://github.com/elastic/go-seccomp-bpf/graphs/contributors)\n[![GitHub release](https://img.shields.io/github/release/elastic/go-seccomp-bpf.svg?label=changelog)](https://github.com/elastic/go-seccomp-bpf/releases/latest)\n[![Go Documentation](http://img.shields.io/badge/go-documentation-blue.svg?style=flat-square)][godocs]\n\n[godocs]:   http://godoc.org/github.com/elastic/go-seccomp-bpf\n\ngo-seccomp-bpf is a library for Go (golang) for loading a system call filter on\nLinux 3.17 and later by taking advantage of secure computing mode, also known as\nseccomp. Seccomp restricts the system calls that a process can invoke.\n\nThe kernel exposes a large number of system calls that are not used by most\nprocesses. By installing a seccomp filter, you can limit the total kernel\nsurface exposed to a process (principle of least privilege). This minimizes\nthe impact of unknown vulnerabilities that might be found in the process.\n\nThe filter is expressed as a Berkeley Packet Filter (BPF) program. The BPF\nprogram is generated based on a filter policy created by you.\n\n###### Requirements\n\n- Requires Linux 3.17 because it uses the `seccomp` syscall in order to take\n  advantage of the `SECCOMP_FILTER_FLAG_TSYNC` flag to sync the filter to all\n  threads.\n\n###### Features\n\n- Pure Go and does not have a libseccomp dependency.\n- Filters are customizable and can be written as an allowlist or blocklist.\n- Supports system call argument filtering.\n- Uses `SECCOMP_FILTER_FLAG_TSYNC` to sync the filter to all threads created by\n  the Go runtime.\n- Invokes `prctl(PR_SET_NO_NEW_PRIVS, 1)` to set the threads `no_new_privs` bit\n  which is generally required before loading a seccomp filter.\n- [seccomp-profiler](./cmd/seccomp-profiler) tool for automatically generating\n  a allowlist policy based on the system calls that a binary uses.\n\n###### Limitations\n\n- System call tables are only implemented for 386, amd64, arm and arm64.\n  (More system call table generation code should be added to\n  [arch/mk_syscalls_linux.go](./arch/mk_syscalls_linux.go).)\n\n###### Examples\n\n- [GoDoc Package Example](https://godoc.org/github.com/elastic/go-seccomp-bpf#example-package)\n- `sandbox` example in [cmd/sandbox](./cmd/sandbox).\n \n###### Updating syscalls for new Linux releases\n\nThis package contains a list of syscall numbers that are generated from the\nLinux sources. Update the git tag [here](https://github.com/elastic/go-seccomp-bpf/blob/b57d796185ac9f05fc0483554da79c4bbaedcc97/arch/mk_syscalls_linux.go)\nand then run this command to generate the code.\n\n```shell\ndocker run -it --rm -v `pwd`:/go-seccomp-bpf -w /go-seccomp-bpf/arch golang:1.18 go generate\n```\n\n###### Projects Using elastic/go-seccomp-bpf\n\nPlease open a PR to submit your project.\n\n- [elastic/beats](https://www.github.com/elastic/beats)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Felastic%2Fgo-seccomp-bpf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Felastic%2Fgo-seccomp-bpf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Felastic%2Fgo-seccomp-bpf/lists"}