Skip to content
This repository has been archived by the owner on Oct 26, 2022. It is now read-only.

roryrjb/node-seccomp

Repository files navigation

node-seccomp Build Status js-standard-style NPM version License

Node wrapper around libseccomp

Requirements

  • a Linux distribution
  • C/C++ tool stack (GCC, etc...)
  • libseccomp >= 2.4.0

What this is

If you don't know what seccomp is, have a look here.

This is a wrapper around the libseccomp C library, which is itself an interface over the seccomp syscall and eBPF. In a nutshell it is used to intercept system calls in a process and get the Linux kernel to do something to your process or with that information. Generally this means killing the process or raising an error if an unexpected syscall is called.

SCMP_ACT_KILL_PROCESS

Only available as of version 2.4.0 of libseccomp. It ensures the whole process is killed. It is the only kill action exposed in this module.

SCMP_ACT_KILL

⛔ This action isn't supported by this module.

With Node.js and the way it works internally with V8 and libuv, if a thread is killed it's unpredictable exactly what will happen, and in my tests, the application just appears to hang and never recovers.

SCMP_ACT_ERRNO

⚠️ Use of this action is not recommended.

SCMP_ACT_ALLOW

Installation

$ npm install --save node-seccomp

Usage

Example:

const {
  SCMP_ACT_ALLOW,
  SCMP_ACT_ERRNO,
  NodeSeccomp,
  errors: {
    EADDRINUSE
  }
} = require('./')

const seccomp = NodeSeccomp()

seccomp
  .init(SCMP_ACT_ALLOW)
  .ruleAdd(SCMP_ACT_ERRNO(EADDRINUSE), 'bind')
  .load()

require('http').createServer((req, res) => {
  res.end('hello\n')
}).listen(8000) // Error: listen EADDRINUSE: address already in use 0.0.0.0:8000