27 lines
736 B
Go
27 lines
736 B
Go
//go:build linux
|
|
|
|
package main
|
|
|
|
import (
|
|
"fmt"
|
|
|
|
"github.com/gologme/log"
|
|
"golang.org/x/sys/unix"
|
|
)
|
|
|
|
func applySandbox(enabled bool, logger *log.Logger) error {
|
|
if !enabled {
|
|
return nil
|
|
}
|
|
if err := unix.Prctl(unix.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {
|
|
return fmt.Errorf("failed to enable no_new_privs: %w", err)
|
|
}
|
|
if err := unix.Prctl(unix.PR_SET_DUMPABLE, 0, 0, 0, 0); err != nil {
|
|
return fmt.Errorf("failed to disable dumpable state: %w", err)
|
|
}
|
|
if err := unix.Setrlimit(unix.RLIMIT_CORE, &unix.Rlimit{Cur: 0, Max: 0}); err != nil {
|
|
return fmt.Errorf("failed to disable core dumps: %w", err)
|
|
}
|
|
logger.Infoln("Linux sandbox hardening enabled: no_new_privs, non-dumpable, core dumps disabled")
|
|
return nil
|
|
}
|