Documentation ¶
Index ¶
- func CallForkmknod(c Instance, dev deviceConfig.Device, requestPID int, s *state.State) int
- func CreateProfile(s *state.State, c Instance) error
- func DeleteProfile(c Instance)
- func FindTGID(procFd int) (uint32, error)
- func InstanceNeedsIntercept(s *state.State, c Instance) (bool, error)
- func InstanceNeedsPolicy(c Instance) bool
- func MakePidFd(pid int, s *state.State) (int, *os.File)
- func MountSyscallFilter(config map[string]string) []string
- func ProfilePath(c Instance) string
- func SyscallInterceptMountFilter(config map[string]string) (map[string]string, error)
- func TaskIDs(pid int) (UID int64, GID int64, fsUID int64, fsGID int64, err error)
- type Instance
- type Iovec
- type MknodArgs
- type MountArgs
- type SchedSetschedulerArgs
- type Server
- func (s *Server) HandleBpfSyscall(c Instance, siov *Iovec) int
- func (s *Server) HandleFinitModuleSyscall(c Instance, siov *Iovec) int
- func (s *Server) HandleInvalid(fd int, siov *Iovec)
- func (s *Server) HandleMknodSyscall(c Instance, siov *Iovec) int
- func (s *Server) HandleMknodatSyscall(c Instance, siov *Iovec) int
- func (s *Server) HandleMountSyscall(c Instance, siov *Iovec) int
- func (s *Server) HandleSchedSetschedulerSyscall(c Instance, siov *Iovec) int
- func (s *Server) HandleSetxattrSyscall(c Instance, siov *Iovec) int
- func (s *Server) HandleSysinfoSyscall(c Instance, siov *Iovec) int
- func (s *Server) HandleValid(fd int, siov *Iovec, ...) error
- func (s *Server) MountSyscallShift(c Instance, path string) idmap.IdmapStorageType
- func (s *Server) MountSyscallValid(c Instance, args *MountArgs) (bool, string)
- func (s *Server) Stop() error
- type SetxattrArgs
- type Sysinfo
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CallForkmknod ¶
CallForkmknod executes fork mknod.
func CreateProfile ¶
CreateProfile creates a seccomp profile.
func InstanceNeedsIntercept ¶
InstanceNeedsIntercept returns whether instance needs intercept.
func InstanceNeedsPolicy ¶
InstanceNeedsPolicy returns whether the instance needs a policy or not.
func MountSyscallFilter ¶
MountSyscallFilter creates a mount syscall filter from the config.
func ProfilePath ¶
ProfilePath returns the seccomp path for the instance.
func SyscallInterceptMountFilter ¶
SyscallInterceptMountFilter creates a new mount syscall interception filter
Types ¶
type Instance ¶
type Instance interface { Name() string Project() api.Project ExpandedConfig() map[string]string IsPrivileged() bool Architecture() int RootfsPath() string CGroup() (*cgroup.CGroup, error) CurrentIdmap() (*idmap.IdmapSet, error) DiskIdmap() (*idmap.IdmapSet, error) IdmappedStorage(path string, fstype string) idmap.IdmapStorageType InsertSeccompUnixDevice(prefix string, m deviceConfig.Device, pid int) error }
Instance is a seccomp specific instance interface. This is used rather than instance.Instance to avoid import loops.
type Iovec ¶
type Iovec struct {
// contains filtered or unexported fields
}
Iovec defines an iovec to move data between kernel and userspace.
func NewSeccompIovec ¶
NewSeccompIovec creates a new seccomp iovec.
func (*Iovec) IsValidSeccompIovec ¶
IsValidSeccompIovec checks whether a seccomp iovec is valid.
func (*Iovec) PutSeccompIovec ¶
func (siov *Iovec) PutSeccompIovec()
PutSeccompIovec puts a seccomp iovec.
func (*Iovec) ReceiveSeccompIovec ¶
ReceiveSeccompIovec receives a seccomp iovec.
type MknodArgs ¶
type MknodArgs struct {
// contains filtered or unexported fields
}
MknodArgs arguments for mknod.
type MountArgs ¶
type MountArgs struct {
// contains filtered or unexported fields
}
MountArgs arguments for mount.
type SchedSetschedulerArgs ¶
type SchedSetschedulerArgs struct {
// contains filtered or unexported fields
}
SchedSetschedulerArgs arguments for setxattr.
type Server ¶
type Server struct {
// contains filtered or unexported fields
}
Server defines a seccomp server.
func NewSeccompServer ¶
func NewSeccompServer(s *state.State, path string, findPID func(pid int32, state *state.State) (Instance, error)) (*Server, error)
NewSeccompServer creates a new seccomp server.
func (*Server) HandleBpfSyscall ¶
HandleBpfSyscall handles mount syscalls.
func (*Server) HandleFinitModuleSyscall ¶
HandleFinitModuleSyscall handles finit_module syscalls.
func (*Server) HandleInvalid ¶
HandleInvalid sends a placeholder message to LXC. LXC will notice the short write and send a default message to the kernel thereby avoiding a 30s block.
func (*Server) HandleMknodSyscall ¶
HandleMknodSyscall handles a mknod syscall.
func (*Server) HandleMknodatSyscall ¶
HandleMknodatSyscall handles a mknodat syscall.
func (*Server) HandleMountSyscall ¶
HandleMountSyscall handles mount syscalls.
func (*Server) HandleSchedSetschedulerSyscall ¶
HandleSchedSetschedulerSyscall handles sched_setscheduler syscalls.
func (*Server) HandleSetxattrSyscall ¶
HandleSetxattrSyscall handles setxattr syscalls.
func (*Server) HandleSysinfoSyscall ¶
HandleSysinfoSyscall handles sysinfo syscalls.
func (*Server) HandleValid ¶
func (s *Server) HandleValid(fd int, siov *Iovec, findPID func(pid int32, state *state.State) (Instance, error)) error
HandleValid handles a valid seccomp notifier message.
func (*Server) MountSyscallShift ¶
func (s *Server) MountSyscallShift(c Instance, path string) idmap.IdmapStorageType
MountSyscallShift checks whether this mount syscall needs shifting.
func (*Server) MountSyscallValid ¶
MountSyscallValid checks whether this is a mount syscall we intercept.
type SetxattrArgs ¶
type SetxattrArgs struct {
// contains filtered or unexported fields
}
SetxattrArgs arguments for setxattr.