Add CIS sysctls, migrate prctl to x/sys/unix, add SetNoNewPrivs

Address remaining security review findings:

- Add four CIS-recommended sysctls: perf_event_paranoid,
  yama.ptrace_scope, bpf_jit_harden, and sysrq
- Replace raw syscall.Syscall prctl calls with unix.Prctl()
  from golang.org/x/sys/unix (already an indirect dep)
- Add SetNoNewPrivs() helper for PR_SET_NO_NEW_PRIVS
- Update SECURITY.md with new sysctls, process privilege
  restriction, and filesystem hardening documentation

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: JAORMX

docs/SECURITY.md

@@ -229,6 +229,10 @@ aborting boot, because not all kernels support every sysctl.
 | `kernel.kptr_restrict` | `2` | Hide kernel pointers from all users. Prevents information leaks that aid exploit development. |
 | `kernel.dmesg_restrict` | `1` | Restrict `dmesg` to privileged users. Prevents unprivileged processes from reading kernel log messages that may contain sensitive addresses or operations. |
 | `kernel.unprivileged_bpf_disabled` | `1` | Disable unprivileged BPF. Prevents unprivileged users from loading BPF programs, which have historically been a source of kernel privilege escalation vulnerabilities. |
+| `kernel.perf_event_paranoid` | `3` | Disallow all perf events for unprivileged users. Prevents unprivileged access to performance counters, which can be used for side-channel attacks. |
+| `kernel.yama.ptrace_scope` | `2` | Restrict ptrace to `CAP_SYS_PTRACE` holders. Prevents unprivileged processes from attaching to other processes to inspect memory or inject code. |
+| `net.core.bpf_jit_harden` | `2` | Harden BPF JIT against spraying attacks. Forces constant blinding and disables JIT kallsyms exposure. |
+| `kernel.sysrq` | `0` | Disable magic SysRq key. Prevents unprivileged users from triggering kernel debugging and recovery commands. |
 
 ### Capability bounding set
 
@@ -245,6 +249,32 @@ For a typical SSH-based guest, the minimal keep set is:
 | `CAP_SETGID` | 6 | sshd group switching |
 | `CAP_NET_BIND_SERVICE` | 10 | Binding port 22 (privileged port) |
 
+### Process privilege restriction
+
+`SetNoNewPrivs()` sets the `PR_SET_NO_NEW_PRIVS` bit on the calling
+process. Once set, the process and all descendants (via fork/exec)
+cannot gain new privileges through `execve` — setuid binaries run
+without elevation and file capabilities are ignored.
+
+This is intended to be called after all privileged operations are
+complete (mounts, network config, credential setup, capability
+dropping). Consumers that spawn child processes via `os/exec` inherit
+the bit automatically; consumers that need to set it on the calling
+process itself (e.g., an init that doesn't use `os/exec`) can call
+`SetNoNewPrivs()` directly.
+
+Note: `no_new_privs` does not affect `setresuid`/`setresgid` syscalls
+used by Go's `SysProcAttr.Credential` — credential switching for SSH
+sessions continues to work after the bit is set.
+
+### Filesystem hardening
+
+Consumers should lock down `/root/` (mode `0700`) after completing
+initial setup so the sandbox user cannot read root's home directory
+contents (bootstrap config, debug logs, credentials). This is not
+performed by the `harden` package itself but is a recommended consumer
+practice — see apiary's `lockdownRoot()` for an example.
+
 ### Threat model
 
 These hardening measures are defense-in-depth for the guest

go.mod

@@ -10,10 +10,10 @@ require (
 	github.com/gofrs/flock v0.13.0
 	github.com/google/go-containerregistry v0.20.3
 	github.com/miekg/dns v1.1.72
-	github.com/sirupsen/logrus v1.9.4
 	github.com/stretchr/testify v1.11.1
 	golang.org/x/crypto v0.47.0
 	golang.org/x/sync v0.19.0
+	golang.org/x/sys v0.40.0
 )
 
 require (
@@ -47,6 +47,7 @@ require (
 	github.com/pierrec/lz4/v4 v4.1.14 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/sirupsen/logrus v1.9.4 // indirect
 	github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 // indirect
 	github.com/vbatts/tar-split v0.11.6 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
@@ -59,7 +60,6 @@ require (
 	go.opentelemetry.io/proto/otlp v1.9.0 // indirect
 	golang.org/x/mod v0.32.0 // indirect
 	golang.org/x/net v0.49.0 // indirect
-	golang.org/x/sys v0.40.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
 	golang.org/x/tools v0.41.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20260209200024-4cfbd4190f57 // indirect

guest/harden/capability.go

@@ -10,7 +10,8 @@ import (
 	"os"
 	"strconv"
 	"strings"
-	"syscall"
+
+	"golang.org/x/sys/unix"
 )
 
 // Linux capability constants. Only the subset typically needed by guest
@@ -23,11 +24,6 @@ const (
 	CapNetBindService uintptr = 10
 )
 
-// prctl constants for capability bounding set manipulation.
-const (
-	prCapBSetDrop = 24 // PR_CAPBSET_DROP
-)
-
 // capLastCap reads the highest valid capability number from
 // /proc/sys/kernel/cap_last_cap. Falls back to 41 (CAP_CHECKPOINT_RESTORE,
 // the highest cap on Linux 6.x kernels) if the file is unreadable.
@@ -80,14 +76,19 @@ func DropBoundingCaps(keep ...uintptr) error {
 // capBSetDrop calls prctl(PR_CAPBSET_DROP, cap) to remove a single
 // capability from the bounding set.
 func capBSetDrop(cap uintptr) error {
-	_, _, errno := syscall.Syscall(
-		syscall.SYS_PRCTL,
-		prCapBSetDrop,
-		cap,
-		0,
-	)
-	if errno != 0 {
-		return fmt.Errorf("prctl(PR_CAPBSET_DROP, %d): %w", cap, errno)
+	if err := unix.Prctl(unix.PR_CAPBSET_DROP, cap, 0, 0, 0); err != nil {
+		return fmt.Errorf("prctl(PR_CAPBSET_DROP, %d): %w", cap, err)
+	}
+	return nil
+}
+
+// SetNoNewPrivs sets the PR_SET_NO_NEW_PRIVS bit on the calling
+// process. Once set, the process and its children cannot gain new
+// privileges through execve (setuid, file capabilities, etc.).
+// This is irreversible for the calling process.
+func SetNoNewPrivs() error {
+	if err := unix.Prctl(unix.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {
+		return fmt.Errorf("prctl(PR_SET_NO_NEW_PRIVS): %w", err)
 	}
 	return nil
 }

guest/harden/capability_test.go

@@ -122,3 +122,12 @@ func TestCapLastCap_ReadsProc(t *testing.T) {
 	// Modern kernels have at least 40 capabilities.
 	assert.GreaterOrEqual(t, got, uintptr(36))
 }
+
+func TestSetNoNewPrivs(t *testing.T) {
+	t.Parallel()
+
+	// SetNoNewPrivs is safe to call in tests — it only affects the
+	// current process and is non-reversible but harmless.
+	err := SetNoNewPrivs()
+	require.NoError(t, err)
+}

guest/harden/sysctl.go

@@ -48,6 +48,26 @@ var defaults = []kernelDefault{
 		value:  "1",
 		reason: "disable unprivileged BPF",
 	},
+	{
+		key:    "kernel.perf_event_paranoid",
+		value:  "3",
+		reason: "disallow all perf events for unprivileged users",
+	},
+	{
+		key:    "kernel.yama.ptrace_scope",
+		value:  "2",
+		reason: "restrict ptrace to CAP_SYS_PTRACE holders",
+	},
+	{
+		key:    "net.core.bpf_jit_harden",
+		value:  "2",
+		reason: "harden BPF JIT against spraying attacks",
+	},
+	{
+		key:    "kernel.sysrq",
+		value:  "0",
+		reason: "disable magic SysRq key",
+	},
 }
 
 // KernelDefaults applies recommended kernel sysctl hardening. Each

guest/harden/sysctl_test.go

@@ -83,5 +83,9 @@ func TestDefaults_AreComplete(t *testing.T) {
 	assert.Equal(t, "2", keys["kernel.kptr_restrict"])
 	assert.Equal(t, "1", keys["kernel.dmesg_restrict"])
 	assert.Equal(t, "1", keys["kernel.unprivileged_bpf_disabled"])
-	assert.Len(t, DefaultsForTest, 3)
+	assert.Equal(t, "3", keys["kernel.perf_event_paranoid"])
+	assert.Equal(t, "2", keys["kernel.yama.ptrace_scope"])
+	assert.Equal(t, "2", keys["net.core.bpf_jit_harden"])
+	assert.Equal(t, "0", keys["kernel.sysrq"])
+	assert.Len(t, DefaultsForTest, 7)
 }