{"id":17520605,"url":"https://github.com/oxzi/syscallset-go","last_synced_at":"2026-01-20T14:33:50.726Z","repository":{"id":134034869,"uuid":"468139526","full_name":"oxzi/syscallset-go","owner":"oxzi","description":"Go library to reduce privileges on Linux by syscall groups through seccomp-bpf.","archived":false,"fork":false,"pushed_at":"2025-10-07T07:05:17.000Z","size":71,"stargazers_count":5,"open_issues_count":5,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-10-07T09:15:49.582Z","etag":null,"topics":["go","seccomp-bpf"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/oxzi.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2022-03-10T00:35:58.000Z","updated_at":"2025-10-07T07:04:55.000Z","dependencies_parsed_at":"2024-04-25T05:25:51.082Z","dependency_job_id":"36d27612-0156-4cdf-8b45-e7db6fdcb88d","html_url":"https://github.com/oxzi/syscallset-go","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/oxzi/syscallset-go","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oxzi%2Fsyscallset-go","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oxzi%2Fsyscallset-go/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oxzi%2Fsyscallset-go/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oxzi%2Fsyscallset-go/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/oxzi","download_url":"https://codeload.github.com/oxzi/syscallset-go/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oxzi%2Fsyscallset-go/sbom","scorecard":{"id":716054,"data":{"date":"2025-08-11","repo":{"name":"github.com/oxzi/syscallset-go","commit":"a4de1ee0c775e1c3d39a1a9e85f1668273116a2d"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.2,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Code-Review","score":0,"reason":"Found 0/20 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/ci.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/oxzi/syscallset-go/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/oxzi/syscallset-go/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/oxzi/syscallset-go/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/oxzi/syscallset-go/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/oxzi/syscallset-go/ci.yml/main?enable=pin","Info:   0 out of   3 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   2 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: BSD 3-Clause \"New\" or \"Revised\" License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 10 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":7,"reason":"3 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2024-3333","Warn: Project is vulnerable to: GO-2025-3503 / GHSA-qxp5-gwg8-xv66","Warn: Project is vulnerable to: GO-2025-3595 / GHSA-vvgc-356p-c3xw"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-22T09:41:48.059Z","repository_id":134034869,"created_at":"2025-08-22T09:41:48.060Z","updated_at":"2025-08-22T09:41:48.060Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28604941,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-20T12:01:53.233Z","status":"ssl_error","status_checked_at":"2026-01-20T12:01:46.545Z","response_time":117,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["go","seccomp-bpf"],"created_at":"2024-10-20T11:24:04.244Z","updated_at":"2026-01-20T14:33:50.707Z","avatar_url":"https://github.com/oxzi.png","language":"Go","readme":"\u003c!--\nSPDX-FileCopyrightText: Alvar Penning\n\nSPDX-License-Identifier: BSD-3-Clause\n--\u003e\n\n# syscallset-go\n\n[![Go Reference](https://pkg.go.dev/badge/github.com/oxzi/syscallset-go.svg)](https://pkg.go.dev/github.com/oxzi/syscallset-go)\n[![CI](https://github.com/oxzi/syscallset-go/actions/workflows/ci.yml/badge.svg)](https://github.com/oxzi/syscallset-go/actions/workflows/ci.yml)\n[![REUSE status](https://api.reuse.software/badge/github.com/oxzi/syscallset-go)](https://api.reuse.software/info/github.com/oxzi/syscallset-go)\n\n`syscallset-go` is an easy to use Go library allowing any Go program to restrict its own capabilities on Linux through [`seccomp-bpf`](https://man7.org/linux/man-pages/man2/seccomp.2.html).\nThis makes it possible, for example, to prevent starting other malicious programs or establishing network connections, which drastically reduces the attack surface, also of third libraries.\n\nSince `secomp-bpf` must be given an exact list of syscalls, which are even architecture-dependent, the creation and maintenance of an allow list is extremely tedious.\nAn easier way is shown by OpenBSD with its [`pledge`](https://man.openbsd.org/pledge.2) command, which expects groups instead of single syscalls.\nBack in the Linux world, systemd allows grouped allowing or disallowing of syscalls via [`SystemCallFilter`](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#System%20Call%20Filtering).\n\nThis library brings systemd's `SystemCallFilter`s to Go, allowing both systemd's platform-independent syscall sets as well as specific syscalls.\nInternally, a given _allow list filter_ is converted to a `seccomp-bpf` profile, which is applied using the [go-seccomp-bpf](https://github.com/elastic/go-seccomp-bpf) library.\nAll code is Go, no cgo required.\n\n\n## syscallset-go, the Go Library\n\nThe only relevant function is `LimitTo(syscallFilter string) error`, expecting a filter string which will be applied.\nThis filter will be always an allow list of syscall sets and/or single syscalls.\nHowever, it is possible to restrict a previously used syscall set by subtracting syscalls.\n\nThe syntax follows systemd's `SystemCallFilter`, with some small differences.\nTo avoid duplicate documentation, please refer to the [library's documentation](https://pkg.go.dev/github.com/oxzi/syscallset-go).\n\nThe following example would be a simple Go program, restricted to only using `@basic-io` syscalls.\nIt cannot open network connections, files or even list directories.\n\n```go\npackage main\n\nimport (\n  \"fmt\"\n\n  syscallset \"github.com/oxzi/syscallset-go\"\n)\n\nfunc main() {\n  if err := syscallset.LimitTo(\"@basic-io\"); err != nil {\n    panic(err)\n  }\n\n  fmt.Println(\"hello restricted world\")\n}\n```\n\nFor more information about the available syscall sets, please refer to\n- [systemd's documentation](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#System%20Call%20Filtering),\n- [its source code (sorry)](https://github.com/systemd/systemd/blob/main/src/shared/seccomp-util.c), and\n- the generated `syscalls.go` file within this repository.\n\nTo debug which syscalls are missing, exchange `LimitTo` with `LimitAndLog`.\nThis function will not terminate for non allowed syscalls, but log them to the audit log.\nOne can read this log with `auditd -f`.\n\n\n## jail, Proof-of-Concept Jail\n\nThe simple `jail` program within `cmd/jail` allows starting another program with an applied syscallset filter.\n\n```\n$ go build ./cmd/jail\n$ ./jail '@system-service ~@network-io ~@privileged' cowsay 'a somewhat more secure cow'\n ____________________________\n\u003c a somewhat more secure cow \u003e\n ----------------------------\n        \\   ^__^\n         \\  (oo)\\_______\n            (__)\\       )\\/\\\n                ||----w |\n                ||     ||\n```\n\nIn this example, the `cowsay` program is allowed all syscalls within systemd's `@system-service` set except those within `@network-io` and `@privileged`.\nThus, cowsay will not be able to, e.g., upload your SSH private key or adjust your computer's clock.\n\nPlease only take this tool as an example and do not use it for something serious.\nA better tool for exactly this job is already out there, it's called [Firejail](https://firejail.wordpress.com/).\n\n\n## Updating syscalls.go\n\nTo update the `syscalls.go` file within this repository, one needs systemd running on the machine.\nThen, just use the generator tool.\n\n```\n$ go run generator/gen.go generator/go.tmpl \u003e syscalls.go\n$ go run generator/gen.go generator/go-apidoc.tmpl \u003e syscallset.go\n```\n\nAs systemd's userland applications are sufficient, one can use Docker to update the list to a recent version:\n\n```\nuser@host $ docker pull archlinux:latest\nuser@host $ docker run -it --rm -v \"$PWD\":/app archlinux\nroot@container # pacman -Syu go\nroot@container # cd /app\nroot@container # go run generator/gen.go generator/go.tmpl \u003e syscalls.go\nroot@container # go run generator/gen.go generator/go-apidoc.tmpl \u003e syscallset.go\nroot@container # ^D\n```\n\n\n## Security Implications\n\nThe whole point of this library is to increase security by reducing privileges.\nHowever, this code was not audited and might blow up in your face.\nSo please do with caution and feel free to report bugs or even structural errors.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foxzi%2Fsyscallset-go","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Foxzi%2Fsyscallset-go","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foxzi%2Fsyscallset-go/lists"}