Documentation
¶
Index ¶
Constants ¶
const ErrCannotFetchContainerStatus = Error("error trying to fetch container status")
ErrCannotFetchContainerStatus is returned when a container cannot have its status verified.
const ErrContainerExecutionFailure = Error("error running container")
ErrContainerExecutionFailure is returned when a container execution fails.
const ErrContainerExecutionTimeout = Error("container execution timed-out")
ErrContainerExecutionTimeout is returned when a container execution times out.
const ErrHighRiskSyscallAllowed = Error("profile allows high-risk system calls")
ErrHighRiskSyscallAllowed is returned when a profile allows high-risk system calls.
const ErrImageCouldNotBePulled = Error("image could not be pulled")
ErrImageCouldNotBePulled is returned when the image is not found locally and cannot be downloaded from an external container registry.
const ErrInvalidProfile = Error("profile content is invalid")
ErrInvalidProfile is returned when an invalid seccomp profile is provided.
const ErrInvalidSyntax = Error("invalid syntax")
ErrInvalidSyntax is returned when an invalid syntax is used.
const ErrInvalidTemplateName = Error("invalid template name")
ErrInvalidTemplateName is returned when a invalid template name is used.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type BruteForceRunner ¶
type BruteForceRunner interface {
RunWithSeccomp(profile *specs.LinuxSeccomp) error
}
BruteForceRunner defines the interface for brute force runners.
type BruteForceSource ¶
type BruteForceSource struct {
// contains filtered or unexported fields
}
BruteForceSource represents a system calls source based on a brute force approach.
func NewBruteForceSource ¶
func NewBruteForceSource(runner BruteForceRunner) *BruteForceSource
NewBruteForceSource initialises BruteForceSource.
func (*BruteForceSource) GetSystemCalls ¶
func (s *BruteForceSource) GetSystemCalls() (*specs.LinuxSyscall, error)
GetSystemCalls returns all system calls found by brute forcing the profile using a runner.
type DockerRunner ¶
DockerRunner represents a runner for docker.
func NewDockerRunner ¶
func NewDockerRunner(img, cmd string) (*DockerRunner, error)
NewDockerRunner initialises DockerRunner.
func (*DockerRunner) RunWithSeccomp ¶
func (r *DockerRunner) RunWithSeccomp(profile *specs.LinuxSeccomp) (err error)
RunWithSeccomp creates a container and runs the defined command.
type ProfileTemplate ¶
type ProfileTemplate string
ProfileTemplate represents a type for seccomp templates.
const ( // WebTemplate represents a seccomp profile for web applications. WebTemplate ProfileTemplate = "web" )
type ProfileVerifier ¶
type ProfileVerifier struct {
// contains filtered or unexported fields
}
ProfileVerifier holds the logic for validating seccomp profiles.
func NewProfileVerifier ¶
func NewProfileVerifier(profileReader io.Reader) *ProfileVerifier
NewProfileVerifier initialises and returns a new ProfileVerifier.
func (*ProfileVerifier) Run ¶
func (v *ProfileVerifier) Run() ([]Warning, error)
Run executes a seccomp profile validation, returning an error and a list of Warning with the high-risk system calls found.
type Seccomp ¶
type Seccomp struct {
NilProfileForNoCalls bool
// contains filtered or unexported fields
}
Seccomp represents the seccomp profile generation functionatily.
func NewSeccomp ¶
func NewSeccomp(syscallsSource SyscallsSource) *Seccomp
NewSeccomp initialises a new Seccomp.
func (*Seccomp) GetProfile ¶
func (s *Seccomp) GetProfile() (*specs.LinuxSeccomp, error)
GetProfile returns a seccomp profile based on the source defined.
type SyscallsFromGo ¶
type SyscallsFromGo struct {
// contains filtered or unexported fields
}
SyscallsFromGo represents a syscalls source from go executables.
func NewSyscallsFromGo ¶
func NewSyscallsFromGo(filePath string) *SyscallsFromGo
NewSyscallsFromGo initialises and returns a new SyscallsFromGo
func (*SyscallsFromGo) GetSystemCalls ¶
func (s *SyscallsFromGo) GetSystemCalls() (*specs.LinuxSyscall, error)
GetSystemCalls returns all system calls found in the go executable specified at filePath.
type SyscallsFromLog ¶
type SyscallsFromLog struct {
// contains filtered or unexported fields
}
SyscallsFromLog represents a syscalls source from syslog files.
func NewSyscallsFromLog ¶
func NewSyscallsFromLog(reader io.Reader, processID int) *SyscallsFromLog
NewSyscallsFromLog initialises and returns a new SyscallsFromLog
func (*SyscallsFromLog) GetSystemCalls ¶
func (s *SyscallsFromLog) GetSystemCalls() (*specs.LinuxSyscall, error)
GetSystemCalls returns all system calls found in the syslog for a given processID.
type SyscallsFromTemplate ¶
type SyscallsFromTemplate struct {
// contains filtered or unexported fields
}
SyscallsFromTemplate represents a template with pre-defined syscalls.
func NewSyscallsFromTemplate ¶
func NewSyscallsFromTemplate(name ProfileTemplate) *SyscallsFromTemplate
NewSyscallsFromTemplate initialises and returns a new SyscallsFromTemplate
func (*SyscallsFromTemplate) GetSystemCalls ¶
func (s *SyscallsFromTemplate) GetSystemCalls() (*specs.LinuxSyscall, error)
GetSystemCalls returns all system calls from a pre-defined template.
type SyscallsSource ¶
type SyscallsSource interface {
GetSystemCalls() (*specs.LinuxSyscall, error)
}
SyscallsSource defines the interface for syscalls sources.
Source Files