Documentation
¶
Index ¶
- func DefaultProfile() *seccomp.Seccomp
- type Config
- func (c *Config) IsDisabled() bool
- func (c *Config) LoadDefaultProfile() error
- func (c *Config) LoadProfile(profilePath string) error
- func (c *Config) NotifierPath() string
- func (c *Config) Profile() *seccomp.Seccomp
- func (c *Config) SetNotifierPath(path string)
- func (c *Config) Setup(ctx context.Context, sys *imagetypes.SystemContext, msgChan chan Notification, ...) (*Notifier, string, error)
- type Notification
- type Notifier
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func DefaultProfile ¶
DefaultProfile is used to allow mutations from the DefaultProfile from the seccomp library. Specifically, it is used to filter `unshare` from the default profile, as it is a risky syscall for unprivileged containers to have access to.
Types ¶
type Config ¶
type Config struct {
// contains filtered or unexported fields
}
Config is the global seccomp configuration type
func (*Config) IsDisabled ¶
IsDisabled returns true if seccomp is disabled either via the missing `seccomp` buildtag or globally by the system.
func (*Config) LoadDefaultProfile ¶
LoadDefaultProfile sets the internal default profile.
func (*Config) LoadProfile ¶
LoadProfile can be used to load a seccomp profile from the provided path. This method will not fail if seccomp is disabled.
func (*Config) NotifierPath ¶
NotifierPath returns the currently used seccomp notifier base path.
func (*Config) SetNotifierPath ¶
SetNotifierPath sets the default path for creating seccomp notifier sockets.
func (*Config) Setup ¶
func (c *Config) Setup( ctx context.Context, sys *imagetypes.SystemContext, msgChan chan Notification, containerID, containerName string, sandboxAnnotations, imageAnnotations map[string]string, specGenerator *generate.Generator, profileField *types.SecurityProfile, ) (*Notifier, string, error)
Setup can be used to setup the seccomp profile.
type Notification ¶
type Notification struct {
// contains filtered or unexported fields
}
Notification is a seccomp notification which gets sent to the CRI-O server.
func (*Notification) ContainerID ¶
func (n *Notification) ContainerID() string
ContainerID returns the container identifier for the notification.
func (*Notification) Ctx ¶
func (n *Notification) Ctx() context.Context
Ctx returns the context of the notification.
func (*Notification) Syscall ¶
func (n *Notification) Syscall() string
Syscall returns the syscall name for the notification.
type Notifier ¶
type Notifier struct {
// contains filtered or unexported fields
}
Notifier wraps a seccomp notifier instance for a container.
func NewNotifier ¶
func NewNotifier( ctx context.Context, msgChan chan Notification, containerID, listenerPath string, annotationMap map[string]string, ) (*Notifier, error)
NewNotifier starts the notifier for the provided arguments.
func (*Notifier) AddSyscall ¶
AddSyscall can be used to add a syscall to the notifier result.
func (*Notifier) OnExpired ¶
func (n *Notifier) OnExpired(callback func())
OnExpired calls the provided callback if the internal timer has been expired. It refreshes the timer for each call of this method.
func (*Notifier) StopContainers ¶
StopContainers returns if the notifier should stop containers or not.
func (*Notifier) UsedSyscalls ¶
UsedSyscalls returns a string representation of the used syscalls, sorted by their name.
Source Files
Directories