push

cmd/yggdrasil/sandbox_linux.go

@@ -0,0 +1,27 @@
+//go:build linux
+
+package main
+
+import (
+	"fmt"
+
+	"github.com/gologme/log"
+	"golang.org/x/sys/unix"
+)
+
+func applySandbox(enabled bool, logger *log.Logger) error {
+	if !enabled {
+		return nil
+	}
+	if err := unix.Prctl(unix.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {
+		return fmt.Errorf("failed to enable no_new_privs: %w", err)
+	}
+	if err := unix.Prctl(unix.PR_SET_DUMPABLE, 0, 0, 0, 0); err != nil {
+		return fmt.Errorf("failed to disable dumpable state: %w", err)
+	}
+	if err := unix.Setrlimit(unix.RLIMIT_CORE, &unix.Rlimit{Cur: 0, Max: 0}); err != nil {
+		return fmt.Errorf("failed to disable core dumps: %w", err)
+	}
+	logger.Infoln("Linux sandbox hardening enabled: no_new_privs, non-dumpable, core dumps disabled")
+	return nil
+}