Documentation ¶
Index ¶
- Constants
- func ListAvailCaps() []string
- func ReqByString(values ...string) ([]cap.Value, error)
- type Capabilities
- func (c *Capabilities) Privileged(cb func() error) error
- func (c *Capabilities) Requested(cb func() error, values ...cap.Value) error
- func (c *Capabilities) Require(values ...cap.Value) error
- func (c *Capabilities) Required(cb func() error) error
- func (c *Capabilities) Unrequire(values ...cap.Value) error
Constants ¶
const ( Privileged ringType = iota // ring0 (all capabilities enabled, startup/shutdown) Required // ring1 (needed capabilities only: config time) Requested // ring2 (temporary specific capabilities) Unprivileged // ring3 (no capabilities: runtime) )
Variables ¶
This section is empty.
Functions ¶
func ListAvailCaps ¶ added in v0.9.0
func ListAvailCaps() []string
ListAvailCaps lists available capabilities in the running environment
Types ¶
type Capabilities ¶ added in v0.9.0
type Capabilities struct {
// contains filtered or unexported fields
}
func NewCapabilities ¶ added in v0.9.0
func NewCapabilities(bypass bool) (*Capabilities, error)
func (*Capabilities) Privileged ¶ added in v0.9.0
func (c *Capabilities) Privileged(cb func() error) error
Privileged is a protection ring with all caps set as Effective.
func (*Capabilities) Requested ¶ added in v0.9.0
func (c *Capabilities) Requested(cb func() error, values ...cap.Value) error
Requested is a protection ring that needs configuration each time it is called. Instead of making Required capabilities Effective, like Required(), it sets as Effective only given capabilities, for a single time, until the next ring is called. It is specially needed for startup/shutdown actions that might require specific capabilities Effective.
func (*Capabilities) Require ¶ added in v0.9.0
func (c *Capabilities) Require(values ...cap.Value) error
Require is called after initialization, configures all required capabilities, and those required capabilities are set as Effective each time Required() is called.
func (*Capabilities) Required ¶ added in v0.9.0
func (c *Capabilities) Required(cb func() error) error
Required is a protection ring with only the required caps set as Effective.
func (*Capabilities) Unrequire ¶ added in v0.9.0
func (c *Capabilities) Unrequire(values ...cap.Value) error
Unrequire is only called when command line "capabilities drop=X" is given. It works by removing, from the required ring, the capabilities given by the user. This way, when tracee shifts to ring1 (Required), that capability won't be Effective.