secprofile

package

v0.0.0-...-80ec3b1 Latest Latest Go to latest Published: Dec 21, 2017 License: Apache-2.0 Imports: 5 Imported by: 3

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/moby/libentitlement

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
type APIAccess
type APIAccessConfig
type APIID
type APISubsetID
type OCIProfile
- func NewOCIProfile(ociSpec *specs.Spec, apparmorProfileName string) *OCIProfile
type Profile
type ProfileType

Constants ¶

This section is empty.

Variables ¶

View Source

var OCIProfileType = ProfileType("oci-profile")

OCIProfileType is an identifier for an OCI profile

Functions ¶

This section is empty.

Types ¶

type APIAccess ¶

type APIAccess string

APIAccess defines whether or not an API access is allowed or not

const (
	// Allow indicates that an API access is allowed
	Allow APIAccess = "allow"

	// Deny indicates that an API access is denied
	Deny APIAccess = "deny"
)

type APIAccessConfig ¶

type APIAccessConfig struct {
	APIRights map[APIID]map[APISubsetID]APIAccess
}

APIAccessConfig contains an access rule for each subset of controlled APIs

type APISubsetID ¶

type APISubsetID string

APISubsetID is the API subset identifier type

type OCIProfile ¶

type OCIProfile struct {
	OCI             *specs.Spec
	AppArmorSetup   *apparmor.ProfileData
	APIAccessConfig *APIAccessConfig
}

OCIProfile maintains some OCI spec settings but should also contain a complete security context. OCIProfile should be maintained for both Linux and Windows at any given time. FIXME: Add error handling here if profile or subfields are not allocated */ Fixme add api access settings for Engine / Swarm / K8s?

func NewOCIProfile ¶

func NewOCIProfile(ociSpec *specs.Spec, apparmorProfileName string) *OCIProfile

NewOCIProfile instantiates an OCIProfile object with an OCI specification structure

func (*OCIProfile) AddCaps ¶

func (p *OCIProfile) AddCaps(capsToAdd ...types.Capability)

AddCaps adds a list of capabilities if not present to all capability masks

func (*OCIProfile) AddMaskedPaths ¶

func (p *OCIProfile) AddMaskedPaths(pathsToMask ...string)

AddMaskedPaths adds a list of paths to the set of paths masked in the container if not present yet

func (*OCIProfile) AddNamespaces ¶

func (p *OCIProfile) AddNamespaces(nsTypes ...specs.LinuxNamespaceType)

AddNamespaces adds a list of namespaces to the enabled namespaces

func (*OCIProfile) AllowSyscalls ¶

func (p *OCIProfile) AllowSyscalls(syscallsToAllow ...types.Syscall)

AllowSyscalls adds seccomp rules to allow a list of syscalls without specific arguments

func (*OCIProfile) AllowSyscallsWithArgs ¶

func (p *OCIProfile) AllowSyscallsWithArgs(syscallsWithArgsToAllow map[types.Syscall][]specs.LinuxSeccompArg)

AllowSyscallsWithArgs adds seccomp rules to allow syscalls with the given arguments if necessary

func (*OCIProfile) BlockSyscalls ¶

func (p *OCIProfile) BlockSyscalls(syscallsToBlock ...types.Syscall)

BlockSyscalls blocks a list of syscalls without specific arguments

func (*OCIProfile) BlockSyscallsWithArgs ¶

func (p *OCIProfile) BlockSyscallsWithArgs(syscallsWithArgsToBlock map[types.Syscall][]specs.LinuxSeccompArg)

BlockSyscallsWithArgs adds seccomp rules to block syscalls with the given arguments and remove them from allowed/debug rules if present

func (*OCIProfile) GetType ¶

func (p *OCIProfile) GetType() ProfileType

GetType returns the OCI profile type identifier

func (*OCIProfile) RemoveCaps ¶

func (p *OCIProfile) RemoveCaps(capsToRemove ...types.Capability)

RemoveCaps removes a list of capabilities if present from all capability masks

func (*OCIProfile) RemoveNamespaces ¶

func (p *OCIProfile) RemoveNamespaces(nsTypes ...specs.LinuxNamespaceType)

RemoveNamespaces disables a list of namespaces

type Profile ¶

type Profile interface {
	GetType() ProfileType
}

Profile is an abstract interface which represents security profiles. Each security profile has its own type and its own API as needs may vary across different profile formats.

type ProfileType ¶

type ProfileType string

ProfileType is a string identifying a specific and unique security profile type

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
osdefs

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL