seccomp

package
v0.61.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 15, 2025 License: Apache-2.0 Imports: 4 Imported by: 20

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GetDefaultProfile

func GetDefaultProfile(rs *specs.Spec) (*specs.LinuxSeccomp, error)

GetDefaultProfile returns an error on unsupported systems

func IsEnabled

func IsEnabled() bool

IsEnabled returns true if seccomp is enabled for the host.

func IsSupported

func IsSupported() bool

IsSupported returns true if the system has been configured to support seccomp.

func LoadProfile

func LoadProfile(body string, rs *specs.Spec) (*specs.LinuxSeccomp, error)

LoadProfile returns an error on unsupported systems

func LoadProfileFromBytes

func LoadProfileFromBytes(body []byte, rs *specs.Spec) (*specs.LinuxSeccomp, error)

LoadProfileFromBytes takes a byte slice and decodes the seccomp profile.

func LoadProfileFromConfig

func LoadProfileFromConfig(config *Seccomp, specgen *specs.Spec) (*specs.LinuxSeccomp, error)

LoadProfileFromConfig takes a Seccomp struct and a spec to retrieve a LinuxSeccomp

Types

type Action

type Action string

Action taken upon Seccomp rule match

const (
	// ActKill results in termination of the thread that made the system call.
	ActKill Action = "SCMP_ACT_KILL"
	// ActKillProcess results in termination of the entire process.
	ActKillProcess Action = "SCMP_ACT_KILL_PROCESS"
	// ActKillThread kills the thread that violated the rule. It is the same as
	// ActKill. All other threads from the same thread group will continue to
	// execute.
	ActKillThread Action = "SCMP_ACT_KILL_THREAD"
	ActTrap       Action = "SCMP_ACT_TRAP"
	ActErrno      Action = "SCMP_ACT_ERRNO"
	ActTrace      Action = "SCMP_ACT_TRACE"
	ActAllow      Action = "SCMP_ACT_ALLOW"
	ActLog        Action = "SCMP_ACT_LOG"
	ActNotify     Action = "SCMP_ACT_NOTIFY"
)

Define actions for Seccomp rules

type Arch

type Arch string

Arch used for architectures

const (
	ArchNative      Arch = "SCMP_ARCH_NATIVE"
	ArchX86         Arch = "SCMP_ARCH_X86"
	ArchX86_64      Arch = "SCMP_ARCH_X86_64"
	ArchX32         Arch = "SCMP_ARCH_X32"
	ArchARM         Arch = "SCMP_ARCH_ARM"
	ArchAARCH64     Arch = "SCMP_ARCH_AARCH64"
	ArchMIPS        Arch = "SCMP_ARCH_MIPS"
	ArchMIPS64      Arch = "SCMP_ARCH_MIPS64"
	ArchMIPS64N32   Arch = "SCMP_ARCH_MIPS64N32"
	ArchMIPSEL      Arch = "SCMP_ARCH_MIPSEL"
	ArchMIPSEL64    Arch = "SCMP_ARCH_MIPSEL64"
	ArchMIPSEL64N32 Arch = "SCMP_ARCH_MIPSEL64N32"
	ArchPPC         Arch = "SCMP_ARCH_PPC"
	ArchPPC64       Arch = "SCMP_ARCH_PPC64"
	ArchPPC64LE     Arch = "SCMP_ARCH_PPC64LE"
	ArchS390        Arch = "SCMP_ARCH_S390"
	ArchS390X       Arch = "SCMP_ARCH_S390X"
	ArchPARISC      Arch = "SCMP_ARCH_PARISC"
	ArchPARISC64    Arch = "SCMP_ARCH_PARISC64"
	ArchRISCV64     Arch = "SCMP_ARCH_RISCV64"
)

Additional architectures permitted to be used for system calls By default only the native architecture of the kernel is permitted

func GoArchToSeccompArch

func GoArchToSeccompArch(goArch string) (Arch, error)

GoArchToSeccompArch converts a runtime.GOARCH to a seccomp `Arch`. The function returns an error if the architecture conversion is not supported.

type Architecture

type Architecture struct {
	Arch      Arch   `json:"architecture"`
	SubArches []Arch `json:"subArchitectures"`
}

Architecture is used to represent a specific architecture and its sub-architectures

type Arg

type Arg struct {
	Index    uint     `json:"index"`
	Value    uint64   `json:"value"`
	ValueTwo uint64   `json:"valueTwo"`
	Op       Operator `json:"op"`
}

Arg used for matching specific syscall arguments in Seccomp

type Filter

type Filter struct {
	Caps   []string `json:"caps,omitempty"`
	Arches []string `json:"arches,omitempty"`
}

Filter is used to conditionally apply Seccomp rules

type Operator

type Operator string

Operator used to match syscall arguments in Seccomp

const (
	OpNotEqual     Operator = "SCMP_CMP_NE"
	OpLessThan     Operator = "SCMP_CMP_LT"
	OpLessEqual    Operator = "SCMP_CMP_LE"
	OpEqualTo      Operator = "SCMP_CMP_EQ"
	OpGreaterEqual Operator = "SCMP_CMP_GE"
	OpGreaterThan  Operator = "SCMP_CMP_GT"
	OpMaskedEqual  Operator = "SCMP_CMP_MASKED_EQ"
)

Define operators for syscall arguments in Seccomp

type Seccomp

type Seccomp struct {
	DefaultAction Action `json:"defaultAction"`

	// DefaultErrnoRet is obsolete, please use DefaultErrno
	DefaultErrnoRet *uint  `json:"defaultErrnoRet,omitempty"`
	DefaultErrno    string `json:"defaultErrno,omitempty"`

	// Architectures is kept to maintain backward compatibility with the old
	// seccomp profile.
	Architectures    []Arch         `json:"architectures,omitempty"`
	ArchMap          []Architecture `json:"archMap,omitempty"`
	Syscalls         []*Syscall     `json:"syscalls"`
	Flags            []string       `json:"flags,omitempty"`
	ListenerPath     string         `json:"listenerPath,omitempty"`
	ListenerMetadata string         `json:"listenerMetadata,omitempty"`
}

Seccomp represents the config for a seccomp profile for syscall restriction.

func DefaultProfile

func DefaultProfile() *Seccomp

DefaultProfile defines the allowlist for the default seccomp profile.

type Syscall

type Syscall struct {
	Name     string   `json:"name,omitempty"`
	Names    []string `json:"names,omitempty"`
	Action   Action   `json:"action"`
	Args     []*Arg   `json:"args"`
	Comment  string   `json:"comment"`
	Includes Filter   `json:"includes"`
	Excludes Filter   `json:"excludes"`
	// ErrnoRet is obsolete, please use Errno
	ErrnoRet *uint  `json:"errnoRet,omitempty"`
	Errno    string `json:"errno,omitempty"`
}

Syscall is used to match a group of syscalls in Seccomp

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL