Documentation ¶
Index ¶
- func GetDefaultProfile(rs *specs.Spec) (*specs.LinuxSeccomp, error)
- func IsEnabled() bool
- func IsSupported() bool
- func LoadProfile(body string, rs *specs.Spec) (*specs.LinuxSeccomp, error)
- func LoadProfileFromBytes(body []byte, rs *specs.Spec) (*specs.LinuxSeccomp, error)
- func LoadProfileFromConfig(config *Seccomp, specgen *specs.Spec) (*specs.LinuxSeccomp, error)
- type Action
- type Arch
- type Architecture
- type Arg
- type Filter
- type Operator
- type Seccomp
- type Syscall
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GetDefaultProfile ¶
func GetDefaultProfile(rs *specs.Spec) (*specs.LinuxSeccomp, error)
GetDefaultProfile returns an error on unsuppored systems
func IsSupported ¶
func IsSupported() bool
IsSupported returns true if the system has been configured to support seccomp.
func LoadProfile ¶
LoadProfile returns an error on unsuppored systems
func LoadProfileFromBytes ¶
LoadProfileFromBytes takes a byte slice and decodes the seccomp profile.
func LoadProfileFromConfig ¶
LoadProfileFromConfig takes a Seccomp struct and a spec to retrieve a LinuxSeccomp
Types ¶
type Action ¶
type Action string
Action taken upon Seccomp rule match
const ( // ActKill results in termination of the thread that made the system call. ActKill Action = "SCMP_ACT_KILL" // ActKillProcess results in termination of the entire process. ActKillProcess Action = "SCMP_ACT_KILL_PROCESS" // ActKillThread kills the thread that violated the rule. It is the same as // ActKill. All other threads from the same thread group will continue to // execute. ActKillThread Action = "SCMP_ACT_KILL_THREAD" ActTrap Action = "SCMP_ACT_TRAP" ActErrno Action = "SCMP_ACT_ERRNO" ActTrace Action = "SCMP_ACT_TRACE" ActAllow Action = "SCMP_ACT_ALLOW" ActLog Action = "SCMP_ACT_LOG" ActNotify Action = "SCMP_ACT_NOTIFY" )
Define actions for Seccomp rules
type Arch ¶
type Arch string
Arch used for architectures
const ( ArchNative Arch = "SCMP_ARCH_NATIVE" ArchX86 Arch = "SCMP_ARCH_X86" ArchX86_64 Arch = "SCMP_ARCH_X86_64" ArchX32 Arch = "SCMP_ARCH_X32" ArchARM Arch = "SCMP_ARCH_ARM" ArchAARCH64 Arch = "SCMP_ARCH_AARCH64" ArchMIPS Arch = "SCMP_ARCH_MIPS" ArchMIPS64 Arch = "SCMP_ARCH_MIPS64" ArchMIPS64N32 Arch = "SCMP_ARCH_MIPS64N32" ArchMIPSEL Arch = "SCMP_ARCH_MIPSEL" ArchMIPSEL64 Arch = "SCMP_ARCH_MIPSEL64" ArchMIPSEL64N32 Arch = "SCMP_ARCH_MIPSEL64N32" ArchPPC Arch = "SCMP_ARCH_PPC" ArchPPC64 Arch = "SCMP_ARCH_PPC64" ArchPPC64LE Arch = "SCMP_ARCH_PPC64LE" ArchS390 Arch = "SCMP_ARCH_S390" ArchS390X Arch = "SCMP_ARCH_S390X" ArchPARISC Arch = "SCMP_ARCH_PARISC" ArchPARISC64 Arch = "SCMP_ARCH_PARISC64" ArchRISCV64 Arch = "SCMP_ARCH_RISCV64" )
Additional architectures permitted to be used for system calls By default only the native architecture of the kernel is permitted
func GoArchToSeccompArch ¶
GoArchToSeccompArch converts a runtime.GOARCH to a seccomp `Arch`. The function returns an error if the architecture conversion is not supported.
type Architecture ¶
type Architecture struct { Arch Arch `json:"architecture"` SubArches []Arch `json:"subArchitectures"` }
Architecture is used to represent a specific architecture and its sub-architectures
type Arg ¶
type Arg struct { Index uint `json:"index"` Value uint64 `json:"value"` ValueTwo uint64 `json:"valueTwo"` Op Operator `json:"op"` }
Arg used for matching specific syscall arguments in Seccomp
type Filter ¶
type Filter struct { Caps []string `json:"caps,omitempty"` Arches []string `json:"arches,omitempty"` }
Filter is used to conditionally apply Seccomp rules
type Operator ¶
type Operator string
Operator used to match syscall arguments in Seccomp
const ( OpNotEqual Operator = "SCMP_CMP_NE" OpLessThan Operator = "SCMP_CMP_LT" OpLessEqual Operator = "SCMP_CMP_LE" OpEqualTo Operator = "SCMP_CMP_EQ" OpGreaterEqual Operator = "SCMP_CMP_GE" OpGreaterThan Operator = "SCMP_CMP_GT" OpMaskedEqual Operator = "SCMP_CMP_MASKED_EQ" )
Define operators for syscall arguments in Seccomp
type Seccomp ¶
type Seccomp struct { DefaultAction Action `json:"defaultAction"` // DefaultErrnoRet is obsolete, please use DefaultErrno DefaultErrnoRet *uint `json:"defaultErrnoRet,omitempty"` DefaultErrno string `json:"defaultErrno,omitempty"` // Architectures is kept to maintain backward compatibility with the old // seccomp profile. Architectures []Arch `json:"architectures,omitempty"` ArchMap []Architecture `json:"archMap,omitempty"` Syscalls []*Syscall `json:"syscalls"` Flags []string `json:"flags,omitempty"` ListenerPath string `json:"listenerPath,omitempty"` ListenerMetadata string `json:"listenerMetadata,omitempty"` }
Seccomp represents the config for a seccomp profile for syscall restriction.
func DefaultProfile ¶
func DefaultProfile() *Seccomp
DefaultProfile defines the allowlist for the default seccomp profile.
type Syscall ¶
type Syscall struct { Name string `json:"name,omitempty"` Names []string `json:"names,omitempty"` Action Action `json:"action"` Args []*Arg `json:"args"` Comment string `json:"comment"` Includes Filter `json:"includes"` Excludes Filter `json:"excludes"` // ErrnoRet is obsolete, please use Errno ErrnoRet *uint `json:"errnoRet,omitempty"` Errno string `json:"errno,omitempty"` }
Syscall is used to match a group of syscalls in Seccomp