Documentation
¶
Index ¶
Constants ¶
View Source
const ( // CapAuditControl - Enable and disable kernel auditing; change auditing filter // rules; retrieve auditing status and filtering rules. CapAuditControl types.Capability = "CAP_AUDIT_CONTROL" // CapAuditRead - Allow reading the audit log via a multicast netlink socket. CapAuditRead types.Capability = "CAP_AUDIT_READ" // CapAuditWrite - Write records to kernel auditing log. CapAuditWrite types.Capability = "CAP_AUDIT_WRITE" // CapBlockSuspend - Employ features that can block system suspend. CapBlockSuspend types.Capability = "CAP_BLOCK_SUSPEND" // CapChown - Make arbitrary changes to file UIDs and GIDs. CapChown types.Capability = "CAP_CHOWN" // CapDacOverride - Bypass file read, write, and execute permission checks. CapDacOverride types.Capability = "CAP_DAC_OVERRIDE" // CapDacReadSearch - // * Bypass file read permission checks and directory read and execute permission checks // * invoke open_by_handle_at(2) // * use the linkat(2) AT_EMPTY_PATH flag to create a link to a file referred to by a file descriptor CapDacReadSearch types.Capability = "CAP_DAC_READ_SEARCH" // CapFowner - // * Bypass permission checks on operations that normally require the filesystem UID of the process // to match the UID of the file, excluding the operations covered by CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH // * set inode flags on arbitrary files // * set Access Control Lists (ACLs) on arbitrary files // * ignore directory sticky bit on file deletion // * specify O_NOATIME for arbitrary files in open and fcntl CapFowner types.Capability = "CAP_FOWNER" // CapFsetid - // * Don't clear set-user-ID and set-group-ID mode bits when a file is modified // * set the set-group-ID bit for a file whose GID does not match the filesystem or any of the supplementary // GIDs of the calling process. CapFsetid types.Capability = "CAP_FSETID" // CapIpcLock - Lock memory CapIpcLock types.Capability = "CAP_IPC_LOCK" // CapIpcOwner - Bypass permission checks for operations on System V IPC objects. CapIpcOwner types.Capability = "CAP_IPC_OWNER" // CapKill - Bypass permission checks for sending signals. CapKill types.Capability = "CAP_KILL" // CapLease - Establish leases on arbitrary files. CapLease types.Capability = "CAP_LEASE" // CapLinuxImmutable - Set the FS_APPEND_FL and FS_IMMUTABLE_FL inode flags. CapLinuxImmutable types.Capability = "CAP_LINUX_IMMUTABLE" // CapMacAdmin - Override Mandatory Access Control (MAC). Implemented for the Smack Linux Security Module (LSM). CapMacAdmin types.Capability = "CAP_MAC_ADMIN" // CapMacOverride - Allow MAC configuration or state changes. Implemented for the Smack LSM. CapMacOverride types.Capability = "CAP_MAC_OVERRIDE" // CapMknod - Create special files using mknod CapMknod types.Capability = "CAP_MKNOD" // CapNetAdmin - Perform various network-related operations: // * interface configuration; // * administration of IP firewall, masquerading, and accounting; // * modify routing tables; // * bind to any address for transparent proxying; // * set type-of-service (TOS) // * clear driver statistics; // * set promiscuous mode; // * enabling multicasting; // * use setsockopt(2) to set the following socket options: SO_DEBUG, SO_MARK, SO_PRIORITY (for a priority // outside the range 0 to 6), SO_RCVBUFFORCE, and SO_SNDBUFFORCE. CapNetAdmin types.Capability = "CAP_NET_ADMIN" // CapNetBindService - Bind a socket to Internet domain privileged ports (port numbers less than 1024). CapNetBindService types.Capability = "CAP_NET_BIND_SERVICE" // CapNetBroadcast - Make socket broadcasts, and listen to multicasts. CapNetBroadcast types.Capability = "CAP_NET_BROADCAST" // CapNetRaw - // * Use RAW and PACKET sockets // * bind to any address for transparent proxying. CapNetRaw types.Capability = "CAP_NET_RAW" // CapSetgid - // * Make arbitrary manipulations of process GIDs and supplementary GID list // * forge GID when passing socket credentials via UNIX domain sockets // * write a group ID mapping in a user namespace CapSetgid types.Capability = "CAP_SETGID" // CapSetfcap - Set file capabilities. CapSetfcap types.Capability = "CAP_SETFCAP" // CapSetpcap - // * If file capabilities are not supported: grant or remove any capability in the caller's permitted // capability set to or from any other process. // * If file capabilities are supported: add any capability from the calling thread's bounding set to its // inheritable set; drop capabilities from the bounding set; make changes to the securebits flags. CapSetpcap types.Capability = "CAP_SETPCAP" // CapSetuid - // * Make arbitrary manipulations of process UIDs // * forge UID when passing socket credentials via UNIX domain sockets // * write a user ID mapping in a user namespace CapSetuid types.Capability = "CAP_SETUID" // CapSysAdmin - Perform administrative operations on the system (see man capabilities(7)) CapSysAdmin types.Capability = "CAP_SYS_ADMIN" // CapSysBoot - Use reboot and kexec_load. CapSysBoot types.Capability = "CAP_SYS_BOOT" // CapSysChroot - Use chroot. CapSysChroot types.Capability = "CAP_SYS_CHROOT" // CapSysModule - Load and unload kernel modules. CapSysModule types.Capability = "CAP_SYS_MODULE" // CapSysNice - // * Raise processes nice value // * set real-time scheduling policies for processes // * set CPU affinity for arbitrary processes // * set I/O scheduling class and priority for arbitrary processes CapSysNice types.Capability = "CAP_SYS_NICE" // CapSysPacct - Use acct. CapSysPacct types.Capability = "CAP_SYS_PACCT" // CapSysPtrace - Trace, inspect and modify the state of arbitrary processes. CapSysPtrace types.Capability = "CAP_SYS_PTRACE" // CapSysRawio - Perform various privileged IO operations (see man capabilities(7)) CapSysRawio types.Capability = "CAP_SYS_RAWIO" // CapSysResource - Perform various privileged resource configuration operations (see man capabilities (7)) CapSysResource types.Capability = "CAP_SYS_RESOURCE" // CapSysTime - Set system and hardware clocks. CapSysTime types.Capability = "CAP_SYS_TIME" // CapSysTtyConfig - // * Use vhangupl // * Perform various privileged ioctl operations on TTYs CapSysTtyConfig types.Capability = "CAP_SYS_TTY_CONFIG" // CapSyslog - // * Perform privileged syslog operations // * View kernel addresses exposed via /proc under certain conditions CapSyslog types.Capability = "CAP_SYSLOG" // CapWakeAlarm - trigger something that will wake up the system CapWakeAlarm types.Capability = "CAP_WAKE_ALARM" )
View Source
const ( // PrCapbsetDrop is prctl PR_CAPBSET_READ argument value PrCapbsetDrop = syscall.PR_CAPBSET_READ // PrCapbsetRead is prctl PR_CAPBSET_DROP argument value PrCapbsetRead = syscall.PR_CAPBSET_DROP )
View Source
const ( SysRead types.Syscall = "read" SysWrite types.Syscall = "write" SysOpen types.Syscall = "open" SysClose types.Syscall = "close" SysStat types.Syscall = "stat" SysFstat types.Syscall = "fstat" SysLstat types.Syscall = "lstat" SysPoll types.Syscall = "poll" SysLseek types.Syscall = "lseek" SysMmap types.Syscall = "mmap" SysMprotect types.Syscall = "mprotect" SysMunmap types.Syscall = "munmap" SysBrk types.Syscall = "brk" SysRtSigaction types.Syscall = "rt_sigaction" SysRtSigprocmask types.Syscall = "rt_sigprocmask" SysRtSigreturn types.Syscall = "rt_sigreturn" SysIoctl types.Syscall = "ioctl" SysPread64 types.Syscall = "pread64" SysPwrite64 types.Syscall = "pwrite64" SysReadv types.Syscall = "readv" SysWritev types.Syscall = "writev" SysAccess types.Syscall = "access" SysPipe types.Syscall = "pipe" SysSelect types.Syscall = "select" SysSchedYield types.Syscall = "sched_yield" SysMremap types.Syscall = "mremap" SysMsync types.Syscall = "msync" SysMincore types.Syscall = "mincore" SysMadvise types.Syscall = "madvise" SysShmget types.Syscall = "shmget" SysShmat types.Syscall = "shmat" SysShmctl types.Syscall = "shmctl" SysDup types.Syscall = "dup" SysDup2 types.Syscall = "dup2" SysPause types.Syscall = "pause" SysNanosleep types.Syscall = "nanosleep" SysGetitimer types.Syscall = "getitimer" SysAlarm types.Syscall = "alarm" SysSetitimer types.Syscall = "setitimer" SysGetpid types.Syscall = "getpid" SysSendfile types.Syscall = "sendfile" SysSocket types.Syscall = "socket" SysConnect types.Syscall = "connect" SysAccept types.Syscall = "accept" SysSendto types.Syscall = "sendto" SysRecvfrom types.Syscall = "recvfrom" SysSendmsg types.Syscall = "sendmsg" SysRecvmsg types.Syscall = "recvmsg" SysShutdown types.Syscall = "shutdown" SysBind types.Syscall = "bind" SysListen types.Syscall = "listen" SysGetsockname types.Syscall = "getsockname" SysGetpeername types.Syscall = "getpeername" SysSocketpair types.Syscall = "socketpair" SysSetsockopt types.Syscall = "setsockopt" SysGetsockopt types.Syscall = "getsockopt" SysClone types.Syscall = "clone" SysFork types.Syscall = "fork" SysVfork types.Syscall = "vfork" SysExecve types.Syscall = "execve" SysExit types.Syscall = "exit" SysWait4 types.Syscall = "wait4" SysKill types.Syscall = "kill" SysUname types.Syscall = "uname" SysSemget types.Syscall = "semget" SysSemop types.Syscall = "semop" SysSemctl types.Syscall = "semctl" SysShmdt types.Syscall = "shmdt" SysMsgget types.Syscall = "msgget" SysMsgsnd types.Syscall = "msgsnd" SysMsgrcv types.Syscall = "msgrcv" SysMsgctl types.Syscall = "msgctl" SysFcntl types.Syscall = "fcntl" SysFlock types.Syscall = "flock" SysFsync types.Syscall = "fsync" SysFdatasync types.Syscall = "fdatasync" SysTruncate types.Syscall = "truncate" SysFtruncate types.Syscall = "ftruncate" SysGetdents types.Syscall = "getdents" SysGetcwd types.Syscall = "getcwd" SysChdir types.Syscall = "chdir" SysFchdir types.Syscall = "fchdir" SysRename types.Syscall = "rename" SysMkdir types.Syscall = "mkdir" SysRmdir types.Syscall = "rmdir" SysCreat types.Syscall = "creat" SysLink types.Syscall = "link" SysUnlink types.Syscall = "unlink" SysSymlink types.Syscall = "symlink" SysReadlink types.Syscall = "readlink" SysChmod types.Syscall = "chmod" SysFchmod types.Syscall = "fchmod" SysChown types.Syscall = "chown" SysFchown types.Syscall = "fchown" SysLchown types.Syscall = "lchown" SysUmask types.Syscall = "umask" SysGettimeofday types.Syscall = "gettimeofday" SysGetrlimit types.Syscall = "getrlimit" SysGetrusage types.Syscall = "getrusage" SysSysinfo types.Syscall = "sysinfo" SysTimes types.Syscall = "times" SysPtrace types.Syscall = "ptrace" SysGetuid types.Syscall = "getuid" SysSyslog types.Syscall = "syslog" SysGetgid types.Syscall = "getgid" SysSetuid types.Syscall = "setuid" SysSetgid types.Syscall = "setgid" SysGeteuid types.Syscall = "geteuid" SysGetegid types.Syscall = "getegid" SysSetpgid types.Syscall = "setpgid" SysGetppid types.Syscall = "getppid" SysGetpgrp types.Syscall = "getpgrp" SysSetsid types.Syscall = "setsid" SysSetreuid types.Syscall = "setreuid" SysSetregid types.Syscall = "setregid" SysGetgroups types.Syscall = "getgroups" SysSetgroups types.Syscall = "setgroups" SysSetresuid types.Syscall = "setresuid" SysGetresuid types.Syscall = "getresuid" SysSetresgid types.Syscall = "setresgid" SysGetresgid types.Syscall = "getresgid" SysGetpgid types.Syscall = "getpgid" SysSetfsuid types.Syscall = "setfsuid" SysSetfsgid types.Syscall = "setfsgid" SysGetsid types.Syscall = "getsid" SysCapget types.Syscall = "capget" SysCapset types.Syscall = "capset" SysRtSigpending types.Syscall = "rt_sigpending" SysRtSigtimedwait types.Syscall = "rt_sigtimedwait" SysRtSigqueueinfo types.Syscall = "rt_sigqueueinfo" SysRtSigsuspend types.Syscall = "rt_sigsuspend" SysSigaltstack types.Syscall = "sigaltstack" SysUtime types.Syscall = "utime" SysMknod types.Syscall = "mknod" SysUselib types.Syscall = "uselib" SysPersonality types.Syscall = "personality" SysUstat types.Syscall = "ustat" SysStatfs types.Syscall = "statfs" SysFstatfs types.Syscall = "fstatfs" SysSysfs types.Syscall = "sysfs" SysGetpriority types.Syscall = "getpriority" SysSetpriority types.Syscall = "setpriority" SysSchedSetparam types.Syscall = "sched_setparam" SysSchedGetparam types.Syscall = "sched_getparam" SysSchedSetscheduler types.Syscall = "sched_setscheduler" SysSchedGetscheduler types.Syscall = "sched_getscheduler" SysSchedGetPriorityMax types.Syscall = "sched_get_priority_max" SysSchedGetPriorityMin types.Syscall = "sched_get_priority_min" SysSchedRrGetInterval types.Syscall = "sched_rr_get_interval" SysMlock types.Syscall = "mlock" SysMunlock types.Syscall = "munlock" SysMlockall types.Syscall = "mlockall" SysMunlockall types.Syscall = "munlockall" SysVhangup types.Syscall = "vhangup" SysModifyLdt types.Syscall = "modify_ldt" SysPivotRoot types.Syscall = "pivot_root" SysSysctl types.Syscall = "_sysctl" SysPrctl types.Syscall = "prctl" SysArchPrctl types.Syscall = "arch_prctl" SysAdjtimex types.Syscall = "adjtimex" SysSetrlimit types.Syscall = "setrlimit" SysChroot types.Syscall = "chroot" SysSync types.Syscall = "sync" SysAcct types.Syscall = "acct" SysSettimeofday types.Syscall = "settimeofday" SysMount types.Syscall = "mount" SysUmount2 types.Syscall = "umount2" SysSwapon types.Syscall = "swapon" SysSwapoff types.Syscall = "swapoff" SysReboot types.Syscall = "reboot" SysSethostname types.Syscall = "sethostname" SysSetdomainname types.Syscall = "setdomainname" SysIopl types.Syscall = "iopl" SysIoperm types.Syscall = "ioperm" SysCreateModule types.Syscall = "create_module" SysInitModule types.Syscall = "init_module" SysDeleteModule types.Syscall = "delete_module" SysGetKernelSyms types.Syscall = "get_kernel_syms" SysQueryModule types.Syscall = "query_module" SysQuotactl types.Syscall = "quotactl" SysNfsservctl types.Syscall = "nfsservctl" SysGetpmsg types.Syscall = "getpmsg" SysPutpmsg types.Syscall = "putpmsg" SysAfsSyscall types.Syscall = "afs_syscall" SysTuxcall types.Syscall = "tuxcall" SysSecurity types.Syscall = "security" SysGettid types.Syscall = "gettid" SysReadahead types.Syscall = "readahead" SysSetxattr types.Syscall = "setxattr" SysLsetxattr types.Syscall = "lsetxattr" SysFsetxattr types.Syscall = "fsetxattr" SysGetxattr types.Syscall = "getxattr" SysLgetxattr types.Syscall = "lgetxattr" SysFgetxattr types.Syscall = "fgetxattr" SysListxattr types.Syscall = "listxattr" SysLlistxattr types.Syscall = "llistxattr" SysFlistxattr types.Syscall = "flistxattr" SysRemovexattr types.Syscall = "removexattr" SysLremovexattr types.Syscall = "lremovexattr" SysFremovexattr types.Syscall = "fremovexattr" SysTkill types.Syscall = "tkill" SysTime types.Syscall = "time" SysFutex types.Syscall = "futex" SysSchedSetaffinity types.Syscall = "sched_setaffinity" SysSchedGetaffinity types.Syscall = "sched_getaffinity" SysSetThreadArea types.Syscall = "set_thread_area" SysIoSetup types.Syscall = "io_setup" SysIoDestroy types.Syscall = "io_destroy" SysIoGetevents types.Syscall = "io_getevents" SysIoSubmit types.Syscall = "io_submit" SysIoCancel types.Syscall = "io_cancel" SysGetThreadArea types.Syscall = "get_thread_area" SysEpollCreate types.Syscall = "epoll_create" SysEpollCtlOld types.Syscall = "epoll_ctl_old" SysEpollWaitOld types.Syscall = "epoll_wait_old" SysRemapFilePages types.Syscall = "remap_file_pages" SysGetdents64 types.Syscall = "getdents64" SysSetTidAddress types.Syscall = "set_tid_address" SysRestartSyscall types.Syscall = "restart_syscall" SysSemtimedop types.Syscall = "semtimedop" SysFadvise64 types.Syscall = "fadvise64" SysTimerCreate types.Syscall = "timer_create" SysTimerSettime types.Syscall = "timer_settime" SysTimerGettime types.Syscall = "timer_gettime" SysTimerGetoverrun types.Syscall = "timer_getoverrun" SysTimerDelete types.Syscall = "timer_delete" SysClockSettime types.Syscall = "clock_settime" SysClockGettime types.Syscall = "clock_gettime" SysClockGetres types.Syscall = "clock_getres" SysClockNanosleep types.Syscall = "clock_nanosleep" SysExitGroup types.Syscall = "exit_group" SysEpollWait types.Syscall = "epoll_wait" SysEpollCtl types.Syscall = "epoll_ctl" SysTgkill types.Syscall = "tgkill" SysUtimes types.Syscall = "utimes" SysVserver types.Syscall = "vserver" SysMbind types.Syscall = "mbind" SysSetMempolicy types.Syscall = "set_mempolicy" SysGetMempolicy types.Syscall = "get_mempolicy" SysMqOpen types.Syscall = "mq_open" SysMqUnlink types.Syscall = "mq_unlink" SysMqTimedsend types.Syscall = "mq_timedsend" SysMqTimedreceive types.Syscall = "mq_timedreceive" SysMqNotify types.Syscall = "mq_notify" SysMqGetsetattr types.Syscall = "mq_getsetattr" SysKexecLoad types.Syscall = "kexec_load" SysWaitid types.Syscall = "waitid" SysAddKey types.Syscall = "add_key" SysRequestKey types.Syscall = "request_key" SysKeyctl types.Syscall = "keyctl" SysIoprioSet types.Syscall = "ioprio_set" SysIoprioGet types.Syscall = "ioprio_get" SysInotifyInit types.Syscall = "inotify_init" SysInotifyAddWatch types.Syscall = "inotify_add_watch" SysInotifyRmWatch types.Syscall = "inotify_rm_watch" SysMigratePages types.Syscall = "migrate_pages" SysOpenat types.Syscall = "openat" SysMkdirat types.Syscall = "mkdirat" SysMknodat types.Syscall = "mknodat" SysFchownat types.Syscall = "fchownat" SysFutimesat types.Syscall = "futimesat" SysNewfstatat types.Syscall = "newfstatat" SysUnlinkat types.Syscall = "unlinkat" SysRenameat types.Syscall = "renameat" SysLinkat types.Syscall = "linkat" SysSymlinkat types.Syscall = "symlinkat" SysReadlinkat types.Syscall = "readlinkat" SysFchmodat types.Syscall = "fchmodat" SysFaccessat types.Syscall = "faccessat" SysPselect6 types.Syscall = "pselect6" SysPpoll types.Syscall = "ppoll" SysSetRobustList types.Syscall = "set_robust_list" SysGetRobustList types.Syscall = "get_robust_list" SysSplice types.Syscall = "splice" SysTee types.Syscall = "tee" SysSyncFileRange types.Syscall = "sync_file_range" SysVmsplice types.Syscall = "vmsplice" SysMovePages types.Syscall = "move_pages" SysUtimensat types.Syscall = "utimensat" SysEpollPwait types.Syscall = "epoll_pwait" SysSignalfd types.Syscall = "signalfd" SysTimerfdCreate types.Syscall = "timerfd_create" SysEventfd types.Syscall = "eventfd" SysFallocate types.Syscall = "fallocate" SysTimerfdSettime types.Syscall = "timerfd_settime" SysTimerfdGettime types.Syscall = "timerfd_gettime" SysAccept4 types.Syscall = "accept4" SysSignalfd4 types.Syscall = "signalfd4" SysEventfd2 types.Syscall = "eventfd2" SysEpollCreate1 types.Syscall = "epoll_create1" SysDup3 types.Syscall = "dup3" SysPipe2 types.Syscall = "pipe2" SysInotifyInit1 types.Syscall = "inotify_init1" SysPreadv types.Syscall = "preadv" SysPwritev types.Syscall = "pwritev" SysRtTgsigqueueinfo types.Syscall = "rt_tgsigqueueinfo" SysPerfEventOpen types.Syscall = "perf_event_open" SysRecvmmsg types.Syscall = "recvmmsg" SysFanotifyInit types.Syscall = "fanotify_init" SysFanotifyMark types.Syscall = "fanotify_mark" SysPrlimit64 types.Syscall = "prlimit64" SysNameToHandleAt types.Syscall = "name_to_handle_at" SysOpenByHandleAt types.Syscall = "open_by_handle_at" SysClockAdjtime types.Syscall = "clock_adjtime" SysSyncfs types.Syscall = "syncfs" SysSendmmsg types.Syscall = "sendmmsg" SysSetns types.Syscall = "setns" SysGetcpu types.Syscall = "getcpu" SysProcessVMReadv types.Syscall = "process_vm_readv" SysProcessVMWritev types.Syscall = "process_vm_writev" SysKcmp types.Syscall = "kcmp" SysFinitModule types.Syscall = "finit_module" SysSchedSetattr types.Syscall = "sched_setattr" SysSchedGetattr types.Syscall = "sched_getattr" SysRenameat2 types.Syscall = "renameat2" SysSeccomp types.Syscall = "seccomp" SysGetrandom types.Syscall = "getrandom" SysMemfdCreate types.Syscall = "memfd_create" SysKexecFileLoad types.Syscall = "kexec_file_load" SysBpf types.Syscall = "bpf" SysExecveat types.Syscall = "execveat" SysUserfaultfd types.Syscall = "userfaultfd" SysMembarrier types.Syscall = "membarrier" SysMlock2 types.Syscall = "mlock2" SysCopyFileRange types.Syscall = "copy_file_range" SysPreadv2 types.Syscall = "preadv2" SysPwritev2 types.Syscall = "pwritev2" SysPkeyMprotect types.Syscall = "pkey_mprotect" SysPkeyAlloc types.Syscall = "pkey_alloc" SysPkeyFree types.Syscall = "pkey_free" )
Syscall list for Seccomp rules.
Variables ¶
View Source
var ( // DefaultMobyAllowedMounts holds the default Moby mounts DefaultMobyAllowedMounts = []specs.Mount{ { Destination: "/proc", Type: "proc", Source: "proc", Options: []string{"nosuid", "noexec", "nodev"}, }, { Destination: "/dev", Type: "tmpfs", Source: "tmpfs", Options: []string{"nosuid", "strictatime", "mode=755"}, }, { Destination: "/dev/pts", Type: "devpts", Source: "devpts", Options: []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5"}, }, { Destination: "/sys", Type: "sysfs", Source: "sysfs", Options: []string{"nosuid", "noexec", "nodev", "ro"}, }, { Destination: "/sys/fs/cgroup", Type: "cgroup", Source: "cgroup", Options: []string{"ro", "nosuid", "noexec", "nodev"}, }, { Destination: "/dev/mqueue", Type: "mqueue", Source: "mqueue", Options: []string{"nosuid", "noexec", "nodev"}, }, } )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files
Click to show internal directories.
Click to hide internal directories.