capabilities

package

v0.9.3 Latest Latest Go to latest Published: Nov 3, 2022 License: Apache-2.0 Imports: 7 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/aquasecurity/tracee

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func Initialize(bypass bool) error
func ListAvailCaps() []string
func ReqByString(values ...string) ([]cap.Value, error)
type Capabilities
- func GetInstance() *Capabilities

Constants ¶

View Source

const (
	Privileged   ringType = iota // ring0 (all capabilities enabled, startup/shutdown)
	Required                     // ring1 (needed capabilities only: config time)
	Requested                    // ring2 (temporary specific capabilities)
	Unprivileged                 // ring3 (no capabilities: runtime)
)

Variables ¶

This section is empty.

Functions ¶

func Initialize ¶ added in v0.9.2

func Initialize(bypass bool) error

Initialize initializes the "caps" instance (singleton).

func ListAvailCaps ¶ added in v0.9.0

func ListAvailCaps() []string

ListAvailCaps lists available capabilities in the running environment

func ReqByString ¶ added in v0.9.0

func ReqByString(values ...string) ([]cap.Value, error)

Types ¶

type Capabilities ¶ added in v0.9.0

type Capabilities struct {
	// contains filtered or unexported fields
}

func GetInstance ¶ added in v0.9.2

func GetInstance() *Capabilities

GetInstance returns current "caps" instance. It initializes capabilities if needed, bypassing the privilege dropping by default.

func (*Capabilities) Privileged ¶ added in v0.9.0

func (c *Capabilities) Privileged(cb func() error) error

Privileged is a protection ring with all caps set as Effective.

func (*Capabilities) Requested ¶ added in v0.9.0

func (c *Capabilities) Requested(cb func() error, values ...cap.Value) error

Requested is a protection ring that needs configuration each time it is called. Instead of making Required capabilities Effective, like Required(), it sets as Effective only given capabilities, for a single time, until the next ring is called. It is specially needed for startup/shutdown actions that might require specific capabilities Effective.

func (*Capabilities) Require ¶ added in v0.9.0

func (c *Capabilities) Require(values ...cap.Value) error

Require is called after initialization, configures all required capabilities, and those required capabilities are set as Effective each time Required() is called.

func (*Capabilities) Required ¶ added in v0.9.0

func (c *Capabilities) Required(cb func() error) error

Required is a protection ring with only the required caps set as Effective.

func (*Capabilities) Unrequire ¶ added in v0.9.0

func (c *Capabilities) Unrequire(values ...cap.Value) error

Unrequire is only called when command line "capabilities drop=X" is given. It works by removing, from the required ring, the capabilities given by the user. This way, when tracee shifts to ring1 (Required), that capability won't be Effective.

Source Files ¶

View all Source files

capabilities.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL