Add guest-side seccomp BPF filter to harden package

Add ApplySeccomp() to guest/harden which installs a two-tier seccomp
blocklist: kill-on-sight for exploit indicators (io_uring, ptrace, bpf,
kexec, module loading) and EPERM for operational blocks (mount,
namespaces, perf, keyring, landlock, dangerous socket families).

Integrate into boot.Run() via WithSeccomp(true) option for consumers
that want the simple path. Consumers needing custom post-boot privileged
ops can call harden.ApplySeccomp() directly.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: JAORMX

docs/SECURITY.md

@@ -151,12 +151,19 @@ process, providing natural process-level separation.
 For security-critical deployments, layer additional isolation around
 the runner process:
 
-### seccomp (recommended)
+### seccomp — guest-side (built-in)
+
+The `guest/harden` package provides a built-in seccomp BPF blocklist
+filter for the guest VM. Enable it with `boot.WithSeccomp(true)` or
+call `harden.ApplySeccomp()` directly. See [Seccomp BPF filter](#seccomp-bpf-filter)
+for the full blocklist.
+
+### seccomp — runner-side (recommended)
 
 Restrict the runner's syscalls to only what libkrun and gvisor-tap-vsock
-need. This is the highest-impact hardening measure. After a guest escape,
-the attacker lands in a seccomp jail that limits what syscalls they can
-make.
+need. This is the highest-impact host-side hardening measure. After a
+guest escape, the attacker lands in a seccomp jail that limits what
+syscalls they can make.
 
 ```
 Runner process
@@ -205,8 +212,8 @@ lifetime with no extra coordination.
 
 ## Guest Hardening
 
-The `guest/harden` package provides reusable kernel and capability
-hardening for microVM init processes. It is guest-side code
+The `guest/harden` package provides reusable kernel, capability, and
+syscall hardening for microVM init processes. It is guest-side code
 (`//go:build linux`) with no CGO or krun dependencies.
 
 ### Recommended usage
@@ -217,6 +224,10 @@ Call the hardening functions in your guest init boot sequence:
 2. Call `harden.KernelDefaults(logger)` to apply sysctls.
 3. Perform all privileged operations (mounts, network config, chown).
 4. Call `harden.DropBoundingCaps(keep...)` as the last privileged step.
+5. Call `harden.ApplySeccomp()` as the very last hardening step.
+
+Alternatively, use `boot.WithSeccomp(true)` to have the boot sequence
+apply the seccomp filter automatically after SSH starts.
 
 ### Kernel sysctls
 
@@ -267,6 +278,47 @@ Note: `no_new_privs` does not affect `setresuid`/`setresgid` syscalls
 used by Go's `SysProcAttr.Credential` — credential switching for SSH
 sessions continues to work after the bit is set.
 
+### Seccomp BPF filter
+
+`ApplySeccomp()` installs a seccomp BPF blocklist filter on all OS
+threads. The filter uses `SECCOMP_FILTER_FLAG_TSYNC` to synchronize
+across threads and sets `no_new_privs`. Once applied, it is inherited
+by all child processes and cannot be removed.
+
+The blocklist is split into two tiers:
+
+**Exploitation indicators** (`SECCOMP_RET_KILL_PROCESS`): syscalls that
+legitimate workloads never call — any attempt strongly indicates
+active exploitation.
+
+| Syscall | Reason |
+|---------|--------|
+| `io_uring_setup/enter/register` | Prolific source of kernel CVEs |
+| `ptrace`, `process_vm_readv/writev` | Process debugging / cross-process memory access |
+| `kexec_load/file_load` | Kernel replacement |
+| `init_module/finit_module/delete_module` | Kernel module loading |
+| `bpf` | eBPF — kernel attack surface |
+| `seccomp` | Prevent installing additional filters |
+
+**Operational blocks** (`SECCOMP_RET_ERRNO`/`EPERM`): syscalls that
+runtimes or build tools might innocuously probe — fail gracefully.
+
+| Category | Syscalls |
+|----------|----------|
+| Filesystem manipulation | `mount`, `umount2`, `pivot_root`, `chroot`, `fsopen`, `fsconfig`, `fspick`, `move_mount`, `open_tree` |
+| Namespace creation | `unshare`, `setns`, `clone` (with `CLONE_NEW*` flags) |
+| Side-channel attacks | `perf_event_open`, `userfaultfd` |
+| Kernel keyring | `add_key`, `request_key`, `keyctl` |
+| Landlock | `landlock_create_ruleset`, `landlock_add_rule`, `landlock_restrict_self` |
+| Dangerous socket families | `AF_NETLINK`, `AF_PACKET`, `AF_KEY`, `AF_ALG`, `AF_VSOCK` |
+
+`AF_INET`, `AF_INET6`, and `AF_UNIX` remain allowed for normal
+workload operation.
+
+Note: `clone3` is NOT blocked because glibc 2.34+ uses it for
+`fork()`. Its namespace flags live inside a struct pointer (`arg0`)
+which seccomp BPF cannot inspect.
+
 ### Filesystem hardening
 
 Consumers should lock down `/root/` (mode `0700`) after completing

go.mod

@@ -9,6 +9,7 @@ require (
 	github.com/cenkalti/backoff/v5 v5.0.3
 	github.com/containers/gvisor-tap-vsock v0.8.8
 	github.com/creack/pty v1.1.24
+	github.com/elastic/go-seccomp-bpf v1.6.0
 	github.com/gofrs/flock v0.13.0
 	github.com/google/go-containerregistry v0.21.2
 	github.com/klauspost/compress v1.18.4

go.sum

@@ -39,6 +39,8 @@ github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj
 github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/elastic/go-seccomp-bpf v1.6.0 h1:NYduiYxRJ0ZkIyQVwlSskcqPPSg6ynu5pK0/d7SQATs=
+github.com/elastic/go-seccomp-bpf v1.6.0/go.mod h1:5tFsTvH4NtWGfpjsOQD53H8HdVQ+zSZFRUDSGevC0Kc=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/foxcpp/go-mockdns v1.2.0 h1:omK3OrHRD1IWJz1FuFBCFquhXslXoF17OvBS6JPzZF0=
@@ -148,8 +150,6 @@ go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
-golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
 golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=
 golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
@@ -158,29 +158,23 @@ golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
 golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60=
-golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM=
 golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=
 golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
-golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
 golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
-golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
 golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
-golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg=
-golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=
+golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU=
+golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
-golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
+golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
+golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
 golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=

guest/boot/boot.go

@@ -36,6 +36,7 @@ import (
 //  8. Parse SSH authorized keys
 //  9. Drop bounding capabilities + set no_new_privs
 //  10. Start SSH server
+//  11. Apply seccomp BPF filter (if enabled via [WithSeccomp])
 func Run(logger *slog.Logger, opts ...Option) (shutdown func(), err error) {
 	cfg := defaultConfig()
 	for _, o := range opts {
@@ -156,6 +157,15 @@ func Run(logger *slog.Logger, opts ...Option) (shutdown func(), err error) {
 		}
 	}()
 
+	// 11. Apply seccomp BPF filter (if enabled). This must be the last
+	// step — all mounts, networking, and privileged operations are done.
+	if cfg.seccomp {
+		logger.Info("applying seccomp BPF filter")
+		if err := harden.ApplySeccomp(); err != nil {
+			return nil, fmt.Errorf("applying seccomp filter: %w", err)
+		}
+	}
+
 	logger.Info("sandbox init ready", "ssh_port", cfg.sshPort)
 
 	return func() { srv.Close() }, nil

guest/boot/options.go

@@ -32,6 +32,7 @@ type config struct {
 	userGID             uint32
 	lockdownRoot        bool
 	sshAgentForwarding  bool
+	seccomp             bool
 }
 
 func defaultConfig() *config {
@@ -114,3 +115,19 @@ func WithSSHHostKeyPath(path string) Option {
 func WithSSHAgentForwarding(enabled bool) Option {
 	return optionFunc(func(c *config) { c.sshAgentForwarding = enabled })
 }
+
+// WithSeccomp controls whether a seccomp BPF blocklist filter is
+// applied as the last step of the boot sequence. When enabled, the
+// filter blocks dangerous syscalls (io_uring, ptrace, bpf, mount,
+// namespace creation, etc.) while allowing normal workload operation.
+//
+// The filter is applied after the SSH server starts so all privileged
+// operations are already complete. It is inherited by all child
+// processes via fork+exec.
+//
+// Consumers that need to perform additional privileged operations
+// after boot (e.g. custom mounts) should leave this disabled and
+// call [harden.ApplySeccomp] manually at the appropriate time.
+func WithSeccomp(enabled bool) Option {
+	return optionFunc(func(c *config) { c.seccomp = enabled })
+}

guest/harden/doc.go

@@ -3,13 +3,14 @@
 
 //go:build linux
 
-// Package harden provides guest-side kernel and capability hardening for
-// microVM init processes. It restricts kernel information leaks, limits
-// unprivileged access to dangerous subsystems, and drops unneeded
-// capabilities from the bounding set.
+// Package harden provides guest-side kernel, capability, and syscall
+// hardening for microVM init processes. It restricts kernel information
+// leaks, limits unprivileged access to dangerous subsystems, drops
+// unneeded capabilities from the bounding set, and installs a seccomp
+// BPF filter that blocks dangerous syscalls.
 //
-// Consumers (e.g. apiary-init) should call [KernelDefaults] early in the
-// boot sequence (after /proc is mounted) and [DropBoundingCaps] last,
-// just before starting the workload, so that all privileged operations
-// (mounts, network config, chown) are already complete.
+// Consumers should call [KernelDefaults] early in the boot sequence
+// (after /proc is mounted), [DropBoundingCaps] after all privileged
+// operations are complete, and [ApplySeccomp] as the very last
+// hardening step — after mounts, networking, and SSH are ready.
 package harden