Implement syscall restritions with seccomp

README.md

@@ -6,7 +6,7 @@ bscdiff compares bsc, issue, fate (it's a SUSE thing) and CVE numbers from a sou
 ## Usage
 
 ```
-brejoc@alpha ~> ./bscdiff source.changes target.changes
+$ ./bscdiff source.changes target.changes
 508: bsc#1098394 -> - Fix file.get_diff regression on 2018.3 (bsc#1098394)
 525: bsc#1098394 -> - Fix file.managed binary file utf8 error (bsc#1098394)
 4092: bsc#565656565 -> - uploaded to salt 1.12.0 (bsc#565656565, bsc#676767676)
@@ -28,7 +28,7 @@ bscdiff looks for the following patterns:
 
 ## Building bscdiff
 
-Since no external dependency was used, you can just do a `go build bscdiff.go`.
+Since Go modules are used and everything is vendorized, a simple `go build` should be enough. But you need the devel lib of seccomp: libseccomp-dev on Debian based systemes and libseccomp-devel on openSUSE or Redhat based systems.
 
 ## Installation
 

bscdiff.go

@@ -14,6 +14,12 @@ import (
 	"sort"
 )
 
+func init() {
+	// The syscall restriciton is only available for Linux right now via
+	// seccomp.
+	applySyscallRestrictions()
+}
+
 type searchResult struct {
 	line  int
 	match []string

go.mod

@@ -1,3 +1,5 @@
 module github.com/brejoc/bscdiff
 
 go 1.12
+
+require github.com/seccomp/libseccomp-golang v0.9.1

go.sum

@@ -0,0 +1,2 @@
+github.com/seccomp/libseccomp-golang v0.9.1 h1:NJjM5DNFOs0s3kYE1WUOr6G8V97sdt46rlXTMfXGWBo=
+github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo=

syscall-restrictions-linux.go

@@ -0,0 +1,38 @@
+// +build linux
+
+package main
+
+import (
+	"fmt"
+	"syscall"
+
+	libseccomp "github.com/seccomp/libseccomp-golang"
+)
+
+func applySyscallRestrictions() {
+	var syscalls = []string{"read", "write", "close", "mmap", "munmap",
+		"rt_sigaction", "rt_sigprocmask", "clone", "execve", "sigaltstack",
+		"arch_prctl", "gettid", "futex", "sched_getaffinity", "epoll_ctl",
+		"openat", "newfstatat", "readlinkat", "pselect6", "epoll_pwait",
+		"epoll_create1", "exit_group"}
+	whiteList(syscalls)
+}
+
+// Load the seccomp whitelist.
+func whiteList(syscalls []string) {
+
+	filter, err := libseccomp.NewFilter(
+		libseccomp.ActErrno.SetReturnCode(int16(syscall.EPERM)))
+	if err != nil {
+		fmt.Printf("Error creating filter: %s\n", err)
+	}
+	for _, element := range syscalls {
+		// fmt.Printf("[+] Whitelisting: %s\n", element)
+		syscallID, err := libseccomp.GetSyscallFromName(element)
+		if err != nil {
+			panic(err)
+		}
+		filter.AddRule(syscallID, libseccomp.ActAllow)
+	}
+	filter.Load()
+}

syscall-restrictions-not-implemented.go

@@ -0,0 +1,7 @@
+// +build !linux
+
+package main
+
+// We only have seccomp for linux right now.
+func appylSyscallRestrictions() {
+}