Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func IsEnabled ¶
func IsEnabled() bool
IsEnabled returns false, when build without seccomp build tag.
func LoadProfileFromBytes ¶
LoadProfileFromBytes takes a byte slice and decodes the seccomp profile.
Types ¶
type Arch ¶
type Arch string
Arch used for architectures
const ( ArchX86 Arch = "SCMP_ARCH_X86" ArchX86_64 Arch = "SCMP_ARCH_X86_64" ArchX32 Arch = "SCMP_ARCH_X32" ArchARM Arch = "SCMP_ARCH_ARM" ArchAARCH64 Arch = "SCMP_ARCH_AARCH64" ArchMIPS Arch = "SCMP_ARCH_MIPS" ArchMIPS64 Arch = "SCMP_ARCH_MIPS64" ArchMIPS64N32 Arch = "SCMP_ARCH_MIPS64N32" ArchMIPSEL Arch = "SCMP_ARCH_MIPSEL" ArchMIPSEL64 Arch = "SCMP_ARCH_MIPSEL64" ArchMIPSEL64N32 Arch = "SCMP_ARCH_MIPSEL64N32" ArchPPC Arch = "SCMP_ARCH_PPC" ArchPPC64 Arch = "SCMP_ARCH_PPC64" ArchPPC64LE Arch = "SCMP_ARCH_PPC64LE" ArchS390 Arch = "SCMP_ARCH_S390" ArchS390X Arch = "SCMP_ARCH_S390X" )
Additional architectures permitted to be used for system calls By default only the native architecture of the kernel is permitted
type Architecture ¶
type Architecture struct { Arch Arch `json:"architecture"` SubArches []Arch `json:"subArchitectures"` }
Architecture is used to represent an specific architecture and its sub-architectures
type Arg ¶
type Arg struct { Index uint `json:"index"` Value uint64 `json:"value"` ValueTwo uint64 `json:"valueTwo"` Op Operator `json:"op"` }
Arg used for matching specific syscall arguments in Seccomp
type Filter ¶
type Filter struct { Caps []string `json:"caps,omitempty"` Arches []string `json:"arches,omitempty"` }
Filter is used to conditionally apply Seccomp rules
type Operator ¶
type Operator string
Operator used to match syscall arguments in Seccomp
const ( OpNotEqual Operator = "SCMP_CMP_NE" OpLessThan Operator = "SCMP_CMP_LT" OpLessEqual Operator = "SCMP_CMP_LE" OpEqualTo Operator = "SCMP_CMP_EQ" OpGreaterEqual Operator = "SCMP_CMP_GE" OpGreaterThan Operator = "SCMP_CMP_GT" OpMaskedEqual Operator = "SCMP_CMP_MASKED_EQ" )
Define operators for syscall arguments in Seccomp
type Seccomp ¶
type Seccomp struct { DefaultAction Action `json:"defaultAction"` // Architectures is kept to maintain backward compatibility with the old // seccomp profile. Architectures []Arch `json:"architectures,omitempty"` ArchMap []Architecture `json:"archMap,omitempty"` Syscalls []*Syscall `json:"syscalls"` }
Seccomp represents the config for a seccomp profile for syscall restriction.
type Syscall ¶
type Syscall struct { Name string `json:"name,omitempty"` Names []string `json:"names,omitempty"` Action Action `json:"action"` Args []*Arg `json:"args"` Comment string `json:"comment"` Includes Filter `json:"includes"` Excludes Filter `json:"excludes"` }
Syscall is used to match a group of syscalls in Seccomp