sandbox

package

v4.9.0-rc2+incompatible Latest Latest Go to latest Published: Apr 5, 2018 License: AGPL-3.0, Apache-2.0 Imports: 18 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/teloshs/mattermost-server

Documentation ¶

Rendered for

Index ¶

Constants
Variables
func CheckSupport() error
func EnableSeccompFilter(filter []bpf.Instruction) error
func NewProcess(ctx context.Context, config *Configuration, path string) (rpcplugin.Process, io.ReadWriteCloser, error)
func SeccompFilter(arch uint32, allowedSyscalls []SeccompSyscall) (filter []bpf.Instruction)
func SupervisorProvider(bundle *model.BundleInfo) (plugin.Supervisor, error)
type Configuration
type MountPoint
type SeccompArgEquals
- func (c SeccompArgEquals) Filter(littleEndian bool, skipFalseSentinel uint8) []bpf.Instruction
type SeccompArgHasAnyBit
- func (c SeccompArgHasAnyBit) Filter(littleEndian bool, skipFalseSentinel uint8) []bpf.Instruction
type SeccompArgHasNoBits
- func (c SeccompArgHasNoBits) Filter(littleEndian bool, skipFalseSentinel uint8) []bpf.Instruction
type SeccompCondition
type SeccompConditions
type SeccompSyscall

Constants ¶

View Source

const (
	SECCOMP_RET_ALLOW = 0x7fff0000
	SECCOMP_RET_ERRNO = 0x00050000
)

View Source

const (
	EM_X86_64 = 62

	AUDIT_ARCH_X86_64 = EM_X86_64 | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE
)

View Source

const NATIVE_AUDIT_ARCH = AUDIT_ARCH_X86_64

Variables ¶

View Source

var AllowedSyscalls = []SeccompSyscall{}/* 271 elements not displayed */

Functions ¶

func CheckSupport ¶

func CheckSupport() error

CheckSupport inspects the platform and environment to determine whether or not there are any expected issues with sandboxing. If nil is returned, sandboxing should be used.

func EnableSeccompFilter ¶

func EnableSeccompFilter(filter []bpf.Instruction) error

func NewProcess ¶

func NewProcess(ctx context.Context, config *Configuration, path string) (rpcplugin.Process, io.ReadWriteCloser, error)

NewProcess is like rpcplugin.NewProcess, but launches the process in a sandbox.

func SeccompFilter ¶

func SeccompFilter(arch uint32, allowedSyscalls []SeccompSyscall) (filter []bpf.Instruction)

func SupervisorProvider ¶

func SupervisorProvider(bundle *model.BundleInfo) (plugin.Supervisor, error)

Types ¶

type Configuration ¶

type Configuration struct {
	MountPoints      []*MountPoint
	WorkingDirectory string
}

type MountPoint ¶

type MountPoint struct {
	Source      string
	Destination string
	Type        string
	ReadOnly    bool
}

type SeccompArgEquals ¶

type SeccompArgEquals struct {
	Arg   int
	Value uint64
}

func (SeccompArgEquals) Filter ¶

func (c SeccompArgEquals) Filter(littleEndian bool, skipFalseSentinel uint8) []bpf.Instruction

type SeccompArgHasAnyBit ¶

type SeccompArgHasAnyBit struct {
	Arg  int
	Mask uint64
}

func (SeccompArgHasAnyBit) Filter ¶

func (c SeccompArgHasAnyBit) Filter(littleEndian bool, skipFalseSentinel uint8) []bpf.Instruction

type SeccompArgHasNoBits ¶

type SeccompArgHasNoBits struct {
	Arg  int
	Mask uint64
}

func (SeccompArgHasNoBits) Filter ¶

func (c SeccompArgHasNoBits) Filter(littleEndian bool, skipFalseSentinel uint8) []bpf.Instruction

type SeccompCondition ¶

type SeccompCondition interface {
	Filter(littleEndian bool, skipFalseSentinel uint8) []bpf.Instruction
}

type SeccompConditions ¶

type SeccompConditions struct {
	All []SeccompCondition
}

type SeccompSyscall ¶

type SeccompSyscall struct {
	Syscall uint32
	Any     []SeccompConditions
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL