{"id":18709495,"url":"https://github.com/joemiller/go-jail","last_synced_at":"2025-11-09T11:30:29.870Z","repository":{"id":138236818,"uuid":"121156100","full_name":"joemiller/go-jail","owner":"joemiller","description":"[experiment] simple wrapper for executing sandboxed processes using Seccomp and capabilities filters","archived":false,"fork":false,"pushed_at":"2018-03-07T00:32:47.000Z","size":16,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-02-15T08:56:04.273Z","etag":null,"topics":["jail","seccomp","syscalls","wrapper"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/joemiller.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-02-11T18:55:00.000Z","updated_at":"2019-08-06T15:55:37.000Z","dependencies_parsed_at":null,"dependency_job_id":"df7a086c-bc37-47b8-a6e6-4bdd93c9c448","html_url":"https://github.com/joemiller/go-jail","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joemiller%2Fgo-jail","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joemiller%2Fgo-jail/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joemiller%2Fgo-jail/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joemiller%2Fgo-jail/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/joemiller","download_url":"https://codeload.github.com/joemiller/go-jail/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":239571905,"owners_count":19661246,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["jail","seccomp","syscalls","wrapper"],"created_at":"2024-11-07T12:27:46.234Z","updated_at":"2025-11-09T11:30:29.841Z","avatar_url":"https://github.com/joemiller.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"go-jail\n=======\n\nSimple wrapper for executing processes under a sandbox. Sandboxing is implemented\nwith capabilities(7) filtering, and seccomp2 (syscall) filtering.\n\nWARNING: Consider this alpha quality software. It is an experiment at this stage.\nDon't use in production, I haven't (but if you do, please send feedback via\ngithub issues).\n\nUsage\n-----\n\nThe wrapper should be invoked as root.\n\nRequired arguments:\n\n- `-user`: User name or UID prefixed with `#` to execute command as.\n- `-group`: Group name or GID prefixed with `#` to execute command as.\n- `command [args]`: the command and args to wrap.\n\nOptional arguments:\n\n- `-caps=\"...\"`: Comma separated list of `capabilities(7)` to include in the\n  capability bounding set. Empty string to drop all capabilities (default if not specified)\n- `-syscall-allow=\"...\"`: Comma separated listed of system calls to allow. This is effectively\n  a whitelist mode. All system calls not listed here will be denied with `EPERM` error code.\n- `-syscall-block=\"...\"`: Comma separated listed of system calls to block. This is effectively\n  a blacklist mode. All system calls listed here will be denied with `EPERM` error code, and the\n  rest will be allowed.\n\nExamples:\n\n1. Run a process as user `daemon`, group `daemon`:\n\n```\n$ go-jail -user daemon -group daemon -- whoami\n```\n\nNote that by default an empty capability set is applied:\n\n```\n$ go-jail -user daemon -group daemon -- grep CapBnd /proc/self/status\nCapBnd: 0000000000000000\n```\n\n2. Run with limited capability bounding set:\n\n```\n$ go-jail -user \"daemon\" -group \"daemon\" --caps=\"CAP_CHOWN,CAP_KILL,CAP_DAC_OVERRIDE\" -- grep CapBnd /proc/self/status\nCapBnd: 0000000000000023\n```\n\n3. Run with a restricted list of allowed syscalls:\n\n```\n$ go-jail -user daemon -group daemon -syscall-allow=\"execve,exit,read,open,close,mmap,mmap2,fstat,fstat64,access,mprotect,set_thread_area,brk,openat,exit_group,prctl,arch_prctl,write\" \\\n    -- echo \"just enough system calls for echo to succeed\"\njust enough system calls for echo to succeed\n```\n\nWhen running with `-syscall-allow` you will need a minimum set of syscalls for most\nprograms to execute correctly at all. The list above list is a start.\n\n4. Run with a list of system calls to deny:\n\n```\n$ go-jail -user daemon -group daemon -syscall-deny=\"write\" \\\n-- echo \"just enough system calls for echo to succeed\"\n$ echo $?\n1\n```\n\nDevelopment \u0026 Testing\n---------------------\n\nThis project is Linux specific and must be built and tested within Linux. You can\nstill do \"local development\" on macOS with Docker installed. Use the `make devshell`\ncommand to create an interactive container suitable for build and test tasks.\n\n```\n$ make devshell\n...\nroot@f9962fe0a031:/go/src/github.com/joemiller/go-jail# make deps\nroot@f9962fe0a031:/go/src/github.com/joemiller/go-jail# make test\nroot@f9962fe0a031:/go/src/github.com/joemiller/go-jail# make build\nroot@f9962fe0a031:/go/src/github.com/joemiller/go-jail# exit\n```\n\n### Dependencies\n\nYou will need libseccomp-dev (debian) or libseccomp-devel (redhat) packages installed\nto build a binary. The `build` and `test` make targets will build and run within a docker\ncontainer that has these dependencies. This makes it easy to develop and build/test\non platforms other than Linux (ie: macOS).\n\nTo run tests, install `bats` (available in most distros).\n\nRun `make deps` to install Go dependencies.\n\nThe `./Dockerfile.build` is also a good reference for package dependencies.\n\n### Tests\n\nRun `make test`. You must run `make build` first to create the go-jail binary. Tests\nare performed using `bats` utilizing the binary.\n\n### Build\n\nRun `make build`\n\n\nTODO:\n----\n\n- [x] decide on UI:\n  - [x] minimal -- take a list of capabilities to add/drop, and a list of syscalls to blacklist or whitelist\n  - [ ] oci/docker compatibility -- take a config.json file and use the capabilities and seccomp\n      settings. This would allow more granular seccomp policies such as filtering on the args\n      to syscalls\n- [x] CI/CD pipeline. build linux amd64 binary and push to github-releases\n- [ ] add license file\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjoemiller%2Fgo-jail","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjoemiller%2Fgo-jail","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjoemiller%2Fgo-jail/lists"}