An open API service indexing awesome lists of open source software.

https://github.com/cuandari/lib-oss


https://github.com/cuandari/lib-oss

discue gatekeeper go golang ptrace seccomp

Last synced: 6 months ago
JSON representation

Awesome Lists containing this project

README

          



Cuandari Logo featuring a medieval helmet



[![contributions - welcome](https://img.shields.io/badge/contributions-welcome-blue/green)](/CONTRIBUTING.md "Go to contributions doc")
[![GitHub License](https://img.shields.io/github/license/cuandari/lib-oss.svg)](https://github.com/cuandari/lib-oss/blob/main/LICENSE)


[![Go Report Card](https://goreportcard.com/badge/github.com/cuandari/lib-oss)](https://goreportcard.com/report/github.com/cuandari/lib-oss)
[![Go](https://img.shields.io/github/go-mod/go-version/cuandari/lib-oss
)](https://github.com/cuandari/lib-oss/blob/main/go.mod)


[![lints](https://github.com/cuandari/lib-oss/actions/workflows/lints.yml/badge.svg)](https://github.com/cuandari/lib-oss/actions/workflows/lints.yml)
[![tests](https://github.com/cuandari/lib-oss/actions/workflows/tests.yml/badge.svg)](https://github.com/cuandari/lib-oss/actions/workflows/tests.yml)

# cuandari/lib - Process Manager with Privilege Restrictions
Go process manager that can be used to
- start other processes and control their lifecycle,
- watch the status of the started process and return appropriate exit codes,
- and, most importantly, **trace and limit the syscalls of the started process**.

This allows you to start trusted and untrusted applications (e.g., Go, Python, Node.js) and limit their access to the file system or the network. With simple command-line flags you can easily grant permissions to the started process.

## Use Cases
- **Securely run untrusted code**: Limit what trusted and untrusted applications can do on your system.
- **Sandboxing**: Create lightweight sandboxes for applications without the overhead of full VMs or containers.
- **Testing and debugging**: Trace syscalls to understand application behavior and identify potential issues.
- **Compliance and auditing**: Enforce strict policies on application behavior for regulatory compliance

## ๐Ÿค Examples
This section shows examples of how processes can be started with different levels of permissions and success. See below how the `curl` command fails until both filesystem and network permissions are granted.

While it's obvious why `curl` needs network permissions, filesystem permissions are necessary to read, e.g., configuration files and shared libraries.

### โŒ No filesystem permissions
In this case, `curl` is only started with a default set of permissions. The command fails because access to the filesystem is denied.
```bash
$ gatekeeper run -- curl -v google.com
[...]
Syscall not allowed: access
enter [pid 4855] access (/etc/ld.so.preload)
PID 4855 exited from signal SIGKILL (killed) (9)
Exiting with code 111
exit status 111
```

### โŒ With filesystem permissions, but no permission to access the network
In this second case, `curl` is started with a default set of permissions and **read access for the file system**. The command still fails because access to the network-related socket syscall gets denied.
```bash
$ gatekeeper run \
--allow-file-system-read \
-- \
curl -v google.com
[...]
Syscall not allowed: socket
enter [pid 4996] socket
PID 4996 exited from signal SIGKILL (killed) (9)
Exiting with code 111
exit status 111
```

### โœ… With filesystem and network permissions
In this case, `curl` is started with read access to the filesystem **and** network. The command then exits with success.
```bash
$ gatekeeper run \
--allow-file-system-read \
--allow-network-client \
--allow-network-local-sockets \
-- \
curl -v google.com
[...]

301 Moved

301 Moved


The document has moved
here.

[...]
PID 5255 exited from exit status 0 (code = 0)
Exiting with code 0
```

### โœ… With filesystem and network permissions
In this case, `curl` is started with read access to only specific folders **and** network. The command then exits with success.
```bash
$ gatekeeper run \
--allow-file-system-read \
--allow-network-client \
--allow-network-local-sockets \
--allow-file-system-path=/etc \
--allow-file-system-path=/lib/x86_64-linux-gnu \
--allow-file-system-path=/usr/lib \
--allow-file-system-path=/usr/share \
--allow-file-system-path=/proc/sys/crypto \
--allow-file-system-path=/home/stfsy \
-- \
curl -v google.com
[...]

301 Moved

301 Moved


The document has moved
here.

[...]
PID 5255 exited from exit status 0 (code = 0)
Exiting with code 0
```

## ๐Ÿ“ฆ Installation
Install the package:

```bash
go get https://github.com/cuandari/lib-oss
```

## ๐Ÿ”ฃ Usage
```bash
./gatekeeper [run|trace] [flags] -- [binary] [args...]
```

### ๐Ÿคบ Permissions
You can pass the following flags.

- Triggers & verbosity:
- `--trigger-enforce-on-log-match` โ€” Enable enforcement when trace output contains this string (use with `--enforce-on-startup=false`).
- `--trigger-enforce-on-signal` โ€” Enable enforcement upon receiving this signal (name or number, use with `--enforce-on-startup=false`).
- `--verbose` โ€” Enable verbose decision logging from the tracer.

- Filesystem:
- `--allow-file-system-read` โ€” Allow read-only filesystem access (open O_RDONLY, read, stat, list).
- `--allow-file-system-write` โ€” Allow modifying the filesystem (create, write, rename, unlink, truncate).
- `--allow-file-system` โ€” Alias for `--allow-file-system-write` (full read/write filesystem access).
- `--allow-file-system-permissions` โ€” Allow changing file ownership and permissions (chmod/chown/fchmod/fchown*).
- `--allow-file-system-path` โ€” Allow whitelisting specific filesystem paths (repeatable); **paths should be absolute**. Example: `--allow-file-system-path=/etc` `--allow-file-system-path=/lib`. When provided, access is restricted to the listed directories (useful to grant minimal read access without enabling broad filesystem permissions).

- Network & sockets:
- `--allow-network-client` โ€” Allow outbound network connections (socket/connect/send/recv).
- `--allow-network-server` โ€” Allow listening sockets and incoming connections (socket/bind/listen/accept).
- `--allow-network-local-sockets` โ€” Allow local-only sockets (AF_UNIX, AF_NETLINK) for client use.
- `--allow-networking` โ€” Enable both client and server networking capabilities.

- Process & runtime:
- `--allow-process-management` โ€” Allow process/thread creation and lifecycle control (exec/fork/clone/wait).
- `--allow-memory-management` โ€” Allow memory mapping and related syscalls (mmap/mprotect/mremap/brk).
- `--allow-signals` โ€” Allow setting and handling POSIX signals (rt_sig*, sigaltstack).
- `--allow-timers-and-clocks-management` โ€” Allow timers and clocks (clock_gettime, timerfd_*, nanosleep).
- `--allow-security-and-permissions` โ€” Allow identity/capability changes and seccomp (setuid/setgid/capset/seccomp). Risky; enable only if needed.
- `--allow-system-information` โ€” Allow system information and rlimit operations (uname/sysinfo/getrlimit/setrlimit).
- `--allow-process-communication` โ€” Allow IPC mechanisms (SysV shared memory, semaphores, mqueue).
- `--allow-process-synchronization` โ€” Allow synchronization primitives (futex/flock/robust list).
- `--allow-misc` โ€” Allow miscellaneous syscalls (includes ioctl, splice, vmsplice).

- Enforcement / baseline / action:
- `--enforce-on-startup` (default true) โ€” Start with enforcement enabled on startup.
- `--allow-implicit-commands` (default true) โ€” Enable the safe baseline implicit permissions (enabled by default).
- `--on-syscall-denied {kill|error}` โ€” Action when a syscall is denied: `kill` (SIGKILL) or `error` (simulate EPERM via SIGSYS).

## Baseline
By default (unless you pass `--allow-implicit-commands=false`), gatekeeper enables a safe baseline including process management, memory, synchronization, signals, basic time queries and sleep (`clock_gettime`, `gettimeofday`, `nanosleep`), miscellaneous, security, and system information. This avoids breaking common applications that need time functions without requiring extra flags. Use `--allow-timers-and-clocks-management` for the full timers/clock set (e.g., `timerfd_*`, `setitimer`), or keep the default minimal set for tighter policies. If you only need to permit access to a small set of directories (for example, `/etc` or `/lib`), prefer `--allow-file-system-path` to whitelist those paths instead of granting broad filesystem read/write permissions. To explicitly disable the implicit baseline, pass `--allow-implicit-commands=false`. (Note: this flag replaces older `--no-implicit-allow`-style usage.)

#### Dynamically allow individual syscalls
In addition to grouped permissions, you can enable specific syscalls directly from the CLI without modifying configuration files. This is useful for targeted exceptions.

- `--allow-syscall-`: allow a single syscall by name.
- `--allow-syscall=`: equivalent form using `=`.

### ๐Ÿ”Ž Trace
The `trace` subcommand runs the given binary and traces its syscalls. For example:

```bash
./gatekeeper trace ls -l
```

## ๐Ÿงช Running Unit Tests
To run tests, run the following command

```bash
./test.sh
```

# ๐Ÿšง Running E2E Tests
To run the end-to-end tests, run the following command

```bash
./test-e2e.sh
```
This will run all the end-to-end tests located in the `test-e2e` directory.

## ๐Ÿ“„ License
[BSD 3-Clause](https://choosealicense.com/licenses/bsd-3-clause/)