README
¶
goseccomp: A simple native go seccomp library
goseccomp is a pure go library to create and insert seccomp-bpf filters.
Roadmap
- Add a complete documentation of the API
- Add support for retrieving seccomp user notifications
- Add support for more argument filter types
Contributions
In case you have a suggestion or want a new feature, feel free to open an issue with the enhancement label.
If you found a bug, you can open an issue.
In case you are able to fix by yourself a bug, enhance the code or implement a new feature, feel free to send a Pull request.
License
This project is released under the MIT license. Feel free to use, contribute, fork and do what you want with it. Please keep all licenses, copyright notices and mentions in case you use, re-use, steal, fork code from this repository.
Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
var CurrentArch string = runtime.GOARCH
Functions ¶
This section is empty.
Types ¶
type Decision ¶
type Decision struct {
// Type is one of the allowed return code for a BPF seccomp filter
Type DecisionType
// Data is the arbitrary data that can accompany some of the decisions
Data uint16
}
Decision represent an outcome of the BPF seccomp filter
type DecisionType ¶
type DecisionType uint32
const ( Allow DecisionType = lowlevel.SECCOMP_RET_ALLOW KillProcess DecisionType = lowlevel.SECCOMP_RET_KILL_PROCESS KillThread DecisionType = lowlevel.SECCOMP_RET_KILL_THREAD Errno DecisionType = lowlevel.SECCOMP_RET_ERRNO Trap DecisionType = lowlevel.SECCOMP_RET_TRAP Trace DecisionType = lowlevel.SECCOMP_RET_TRACE Log DecisionType = lowlevel.SECCOMP_RET_LOG UserNotify DecisionType = lowlevel.SECCOMP_RET_USER_NOTIF )
type Filter ¶
type Filter struct {
// Elements is a slice of FilterElements that build the filter
Elements []FilterElement
// DefaultDecision is the decision that get applied if nothing match
DefaultDecision Decision
// Architecture is the architecture for which the filter is designed.
// If Architecture doesn't match process will be killed.
Architecture string
}
Filter represents a full fledged seccomp filter
func (*Filter) Compile ¶
func (f *Filter) Compile() ([]bpf.RawInstruction, error)
Compile produce a slice of BPF raw instructions ready to be injected into the seccomp syscall.
type FilterElement ¶
type FilterElement struct {
Match []SyscallCallFilter
Decision Decision
}
FilterElement is a part of a seccomp filter grouping calls that leads to the same decision.
type SyscallArgument ¶
type SyscallArgument struct {
Value uintptr
// contains filtered or unexported fields
}
Represent a simple equality check for a syscall argument
func Any ¶
func Any() SyscallArgument
Special SyscallArgument that always match (used to ignore the value of that argument)
type SyscallCallFilter ¶
type SyscallCallFilter struct {
// Number is the syscall number to match
Number uint
// Args is an array of the arguments to the syscall, there are always six of them, to ignore an argument
// value set it to Any()
Args [6]SyscallArgument
}
Smallest element of a seccomp filter, this allow to check for a specific syscall and its arguments
func (SyscallCallFilter) IsMorePrecise ¶
func (a SyscallCallFilter) IsMorePrecise(b SyscallCallFilter) bool
IsMorePrecise tell if the given SyscallCallFilter is more precise than the one given in argument. This shall only be used when Match returns true, else result doesn't bear any sense.
func (SyscallCallFilter) Match ¶
func (a SyscallCallFilter) Match(b SyscallCallFilter) bool
Match tells if the two SyscallCallFilter are matching for the same call
Source Files
Directories