Documentation
¶
Overview ¶
This package allow syscall level interactions with the seccomp filter system. This package does almost no abstraction over the linux kernel API here, most of this is thus unsafe by nature.
Index ¶
- Constants
- func ArchIs64Bits(goArch string) bool
- func ArchIsLittleEndian(goArch string) bool
- func GetAuditArch(goArch string) uint32
- func LoadSeccompDataField(field string, highByte bool, arch string) bpf.LoadAbsolute
- func NoNewPrivs() error
- func SeccompGetActionAvail(return_action uint) bool
- func SeccompSetModeFilter(prog []bpf.RawInstruction, flags uint) (int, error)
- type SeccompNotifSizes
Constants ¶
const ( // Seccomp syscall operation to set the current thread mode to strict SECCOMP_SET_MODE_STRICT = 0 // Seccomp syscall operation to set the current thread mode to filter, and insert a filter SECCOMP_SET_MODE_FILTER = 1 // Seccomp syscall operation to get whether a given filter action is available or not SECCOMP_GET_ACTION_AVAIL = 2 // Seccomp syscall operation to get the sizes of the user-space notification structures SECCOMP_GET_NOTIF_SIZES = 3 // Seccomp return action to terminate the process with a core dump. The syscall is not // executed, to the parent process it will seems as if the process received a SIGSYS signal SECCOMP_RET_KILL_PROCESS = 0x80000000 // Seccomp return action to terminate the thread. The syscall is not executed, the thread get seemingly // killed by a SIGSYS signal SECCOMP_RET_KILL_THREAD = 0x00000000 SECCOMP_RET_KILL = SECCOMP_RET_KILL_THREAD // Seccomp return action to send a SIGSYS signal to the triggering thread. The syscall is not executed. SECCOMP_RET_TRAP = 0x00030000 // Seccomp return action to return a given errno to the caller. The syscall is not executed. SECCOMP_RET_ERRNO = 0x00050000 // Seccomp return action to forward the syscall to an attached user-space supervisor process. If there is no // attached process, the filter returns with ENOSYS SECCOMP_RET_USER_NOTIF = 0x7fc00000 // Seccomp return action to trigger a ptrace notification. The syscall is not executed. SECCOMP_RET_TRACE = 0x7ff00000 // Seccomp return action to log the syscall. The syscall is executed SECCOMP_RET_LOG = 0x7ffc0000 // Seccomp return action to execute the syscall SECCOMP_RET_ALLOW = 0x7fff0000 // Seccomp syscall filter mode flag to synchronize all threads to the same filter tree. // If any thread cannot synchronize, the syscall will fail and return the thread id // of the first non synced thread. SECCOMP_FILTER_FLAG_TSYNC = 1 << 0 // Seccomp syscall filter mode flag to log all non-allow actions SECCOMP_FILTER_FLAG_LOG = 1 << 1 // Seccomp syscall filter mode flag to disable speculative store bypass mitigation SECCOMP_FILTER_FLAG_SPEC_ALLOW = 1 << 2 // Seccomp syscall filter mode flag to get a user-space notification file descriptor. // The file descriptor will have the close-on-exec flag set. SECCOMP_FILTER_FLAG_NEW_LISTENER = 1 << 3 // Seccomp syscall filter mode flag similar to [SECCOMP_FILTER_FLAG_TSYNC], at the difference it will // return -ESRCH on failure SECCOMP_FILTER_FLAG_TSYNC_ESRCH = 1 << 4 // Seccomp syscall filter mode flag to put the notifying process in killable state once the notification // is received by the user-space listener SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV = 1 << 5 )
Variables ¶
This section is empty.
Functions ¶
func ArchIs64Bits ¶
ArchIs64Bits identifies whether the given GOARCH string is considered 64 bits by the linux kernel
func ArchIsLittleEndian ¶
ArchIs64Bits identifies whether the given GOARCH string is considered little endian by the linux kernel
func GetAuditArch ¶
GetAuditArch converts a GOARCH string (as in runtime.GOARCH) into its pendant in linux kernel audit identifier.
If the given architecture string is unknown, GetAuditArch returns 0.
func LoadSeccompDataField ¶
func LoadSeccompDataField(field string, highByte bool, arch string) bpf.LoadAbsolute
LoadSeccompDataField generates the bpf.LoadAbsolute instruction to access the given field in the seccomp data available to the bfp program. field must be one of "Number", "Arch", "InstructionPointer" or "ArgX" (with "X" from 0 to 5).
On 64bits architectures setting highByte to true will fetch the most significant byte of the field (only relevant for "InstructionPointer" and "ArgX" fields)
arch must be set to the target architecture of the filter and is used to use the right endianess
func NoNewPrivs ¶
func NoNewPrivs() error
NoNewPrivs is a simple wrapper to unix.Prctl to set the "No New Privs" bit on the current thread. This is needed in order to load a seccomp filter as a non privileged user.
func SeccompGetActionAvail ¶
SeccompGetActionAvail returns wether an action is supported by the kernel. This allows to confirm that the kernel knows of a recently added filter return action.
As a reminder, the kernel treats all unknown actions as SECCOMP_RET_KILL_PROCESS action.
func SeccompSetModeFilter ¶
func SeccompSetModeFilter(prog []bpf.RawInstruction, flags uint) (int, error)
SeccompSetModeFilter is a wrapper to the "seccomp" syscall, it sets the current thread seccomp mode to "filter" and inserts the given filter a the top of the seccomp filters stack of the thread. flags can be set to any valid combination of the "SECCOMP_FLAG_*" constants.
SeccompSetModeFilter returns the file descriptor returned by the syscall if SECCOMP_FILTER_FLAG_NEW_LISTENER is set and an error.
Types ¶
type SeccompNotifSizes ¶
type SeccompNotifSizes struct {
// SeccompNotif stores the size of the notification structure
SeccompNotif uint16
// SeccompNotif stores the size of the response structure
SeccompNotifResp uint16
// SeccompData stores the size of the seccomp_data structure
SeccompData uint16
}
SeccompNotifSizes stores the sizes of the seccomp user-space notifications as returned by SeccompGetNotifSizes
func SeccompGetNotifSizes ¶
func SeccompGetNotifSizes() (SeccompNotifSizes, error)
SeccompGetNotifSizes retrieve the sizes of the seccomp user-space notification structures.
Source Files