Documentation
¶
Index ¶
- func DefaultProfile() *seccomp.Seccomp
- type Config
- func (c *Config) IsDisabled() bool
- func (c *Config) LoadDefaultProfile() error
- func (c *Config) LoadProfile(profilePath string) error
- func (c *Config) NotifierPath() string
- func (c *Config) Profile() *seccomp.Seccomp
- func (c *Config) SetNotifierPath(path string)
- func (c *Config) Setup(ctx context.Context, sys *imagetypes.SystemContext, msgChan chan Notification, ...) (*Notifier, string, error)
- type Notification
- type Notifier
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func DefaultProfile ¶ added in v1.24.0
DefaultProfile is used to allow mutations from the DefaultProfile from the seccomp library. Specifically, it is used to filter syscalls which can create namespaces from the default profile, as it is risky for unprivileged containers to have access to create Linux namespaces.
Types ¶
type Config ¶
type Config struct {
// contains filtered or unexported fields
}
Config is the global seccomp configuration type
func (*Config) IsDisabled ¶
IsDisabled returns true if seccomp is disabled either via the missing `seccomp` buildtag or globally by the system.
func (*Config) LoadDefaultProfile ¶ added in v1.25.0
LoadDefaultProfile sets the internal default profile.
func (*Config) LoadProfile ¶
LoadProfile can be used to load a seccomp profile from the provided path. This method will not fail if seccomp is disabled.
func (*Config) NotifierPath ¶ added in v1.26.0
NotifierPath returns the currently used seccomp notifier base path.
func (*Config) SetNotifierPath ¶ added in v1.26.0
SetNotifierPath sets the default path for creating seccomp notifier sockets.
func (*Config) Setup ¶ added in v1.21.0
func (c *Config) Setup( ctx context.Context, sys *imagetypes.SystemContext, msgChan chan Notification, containerID, containerName string, sandboxAnnotations, imageAnnotations map[string]string, specGenerator *generate.Generator, profileField *types.SecurityProfile, ) (*Notifier, string, error)
Setup can be used to setup the seccomp profile.
type Notification ¶ added in v1.26.0
type Notification struct {
// contains filtered or unexported fields
}
Notification is a seccomp notification which gets sent to the CRI-O server.
func (*Notification) ContainerID ¶ added in v1.26.0
func (n *Notification) ContainerID() string
ContainerID returns the container identifier for the notification.
func (*Notification) Ctx ¶ added in v1.26.0
func (n *Notification) Ctx() context.Context
Ctx returns the context of the notification.
func (*Notification) Syscall ¶ added in v1.26.0
func (n *Notification) Syscall() string
Syscall returns the syscall name for the notification.
type Notifier ¶ added in v1.26.0
type Notifier struct {
// contains filtered or unexported fields
}
Notifier wraps a seccomp notifier instance for a container.
func NewNotifier ¶ added in v1.26.0
func NewNotifier( ctx context.Context, msgChan chan Notification, containerID, listenerPath string, annotationMap map[string]string, ) (*Notifier, error)
NewNotifier starts the notifier for the provided arguments.
func (*Notifier) AddSyscall ¶ added in v1.26.0
AddSyscall can be used to add a syscall to the notifier result.
func (*Notifier) OnExpired ¶ added in v1.26.0
func (n *Notifier) OnExpired(callback func())
OnExpired calls the provided callback if the internal timer has been expired. It refreshes the timer for each call of this method.
func (*Notifier) StopContainers ¶ added in v1.26.0
StopContainers returns if the notifier should stop containers or not.
func (*Notifier) UsedSyscalls ¶ added in v1.26.0
UsedSyscalls returns a string representation of the used syscalls, sorted by their name.
Source Files
Directories