Node wrapper around
libseccomp
- a Linux distribution
- C/C++ tool stack (GCC, etc...)
- libseccomp
>= 2.4.0
If you don't know what seccomp is, have a look here.
This is a wrapper around the libseccomp C library, which is itself an interface over the seccomp syscall and eBPF. In a nutshell it is used to intercept system calls in a process and get the Linux kernel to do something to your process or with that information. Generally this means killing the process or raising an error if an unexpected syscall is called.
SCMP_ACT_KILL_PROCESS
Only available as of version 2.4.0 of libseccomp. It ensures the whole
process is killed. It is the only kill action exposed in this module.
SCMP_ACT_KILL
⛔ This action isn't supported by this module.
With Node.js and the way it works internally with V8 and libuv, if a thread is killed it's unpredictable exactly what will happen, and in my tests, the application just appears to hang and never recovers.
SCMP_ACT_ERRNO
SCMP_ACT_ALLOW
$ npm install --save node-seccomp
Example:
const {
SCMP_ACT_ALLOW,
SCMP_ACT_ERRNO,
NodeSeccomp,
errors: {
EADDRINUSE
}
} = require('./')
const seccomp = NodeSeccomp()
seccomp
.init(SCMP_ACT_ALLOW)
.ruleAdd(SCMP_ACT_ERRNO(EADDRINUSE), 'bind')
.load()
require('http').createServer((req, res) => {
res.end('hello\n')
}).listen(8000) // Error: listen EADDRINUSE: address already in use 0.0.0.0:8000