Open source is under attack. Most notably the xz/liblzma backdoor incident (CVE-2024-3094) has shown how even trusted and widely adopted libraries can be compromised. Also, since February 2025, the Go language community has been observing an enormous amount of malicious Go modules being published with fake GitHub stars and very plausible contents.

This session introduces gomodjail, an experimental tool that “jails” Go modules by applying syscall restrictions using seccomp and symbol tables, so as to mitigate potential supply chain attacks and other vulnerabilities. In other words, gomodjail provides a "container" engine for Go modules but in finer granularity than Docker containers, FreeBSD jails, etc.

gomodjail focuses on simplicity; a security policy for gomodjail can be applied just by adding // gomodjail:confined comment to the go.mod file of the target program.

The session will discuss its design, implementation details, limitations (e.g., support for modules that use "unsafe" pointers or reflections), and the plan to improve its robustness and performance.

Repository: https://github.com/AkihiroSuda/gomodjail