Documentation ¶
Overview ¶
Package seccomp implements integration between snapd and snap-confine around seccomp.
Snappy creates so-called seccomp profiles for each application (for each snap) present in the system. Upon each execution of snap-confine, the profile is read and "compiled" to an eBPF program and injected into the kernel for the duration of the execution of the process.
There is no binary cache for seccomp, each time the launcher starts an application the profile is parsed and re-compiled.
The actual profiles are stored in /var/lib/snappy/seccomp/bpf/*.{src,bin}. This directory is hard-coded in snap-confine.
Index ¶
- func MockSnapSeccompVersionInfo(versionInfo string) (restore func())
- type Backend
- func (b *Backend) Initialize(*interfaces.SecurityBackendOptions) error
- func (b *Backend) Name() interfaces.SecuritySystem
- func (b *Backend) NewSpecification(appSet *interfaces.SnapAppSet, opts interfaces.ConfinementOptions) interfaces.Specification
- func (b *Backend) Remove(snapName string) error
- func (b *Backend) SandboxFeatures() []string
- func (b *Backend) Setup(appSet *interfaces.SnapAppSet, opts interfaces.ConfinementOptions, ...) error
- type Compiler
- type Specification
- func (spec *Specification) AddConnectedPlug(iface interfaces.Interface, plug *interfaces.ConnectedPlug, ...) error
- func (spec *Specification) AddConnectedSlot(iface interfaces.Interface, plug *interfaces.ConnectedPlug, ...) error
- func (spec *Specification) AddPermanentPlug(iface interfaces.Interface, plug *snap.PlugInfo) error
- func (spec *Specification) AddPermanentSlot(iface interfaces.Interface, slot *snap.SlotInfo) error
- func (spec *Specification) AddSnippet(snippet string)
- func (spec *Specification) SecurityTags() []string
- func (spec *Specification) SnapAppSet() *interfaces.SnapAppSet
- func (spec *Specification) SnippetForTag(tag string) string
- func (spec *Specification) Snippets() map[string][]string
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func MockSnapSeccompVersionInfo ¶
func MockSnapSeccompVersionInfo(versionInfo string) (restore func())
MockSnapSeccompVersionInfo is for use in tests only.
Types ¶
type Backend ¶
type Backend struct {
// contains filtered or unexported fields
}
Backend is responsible for maintaining seccomp profiles for snap-confine.
func (*Backend) Initialize ¶
func (b *Backend) Initialize(*interfaces.SecurityBackendOptions) error
Initialize ensures that the global profile is on disk and interrogates libseccomp wrapper to generate a version string that will be used to determine if we need to recompile seccomp policy due to system changes outside of snapd.
func (*Backend) Name ¶
func (b *Backend) Name() interfaces.SecuritySystem
Name returns the name of the backend.
func (*Backend) NewSpecification ¶
func (b *Backend) NewSpecification(appSet *interfaces.SnapAppSet, opts interfaces.ConfinementOptions) interfaces.Specification
NewSpecification returns an empty seccomp specification.
func (*Backend) SandboxFeatures ¶
SandboxFeatures returns the list of seccomp features supported by the kernel and userspace.
func (*Backend) Setup ¶
func (b *Backend) Setup(appSet *interfaces.SnapAppSet, opts interfaces.ConfinementOptions, repo *interfaces.Repository, tm timings.Measurer) error
Setup creates seccomp profiles specific to a given snap. The snap can be in developer mode to make security violations non-fatal to the offending application process.
This method should be called after changing plug, slots, connections between them or application present in the snap.
type Compiler ¶
type Compiler interface { Compile(in, out string) error VersionInfo() (seccomp.VersionInfo, error) }
type Specification ¶
type Specification struct {
// contains filtered or unexported fields
}
Specification keeps all the seccomp snippets.
func NewSpecification ¶
func NewSpecification(appSet *interfaces.SnapAppSet) *Specification
func (*Specification) AddConnectedPlug ¶
func (spec *Specification) AddConnectedPlug(iface interfaces.Interface, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error
AddConnectedPlug records seccomp-specific side-effects of having a connected plug.
func (*Specification) AddConnectedSlot ¶
func (spec *Specification) AddConnectedSlot(iface interfaces.Interface, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error
AddConnectedSlot records seccomp-specific side-effects of having a connected slot.
func (*Specification) AddPermanentPlug ¶
func (spec *Specification) AddPermanentPlug(iface interfaces.Interface, plug *snap.PlugInfo) error
AddPermanentPlug records seccomp-specific side-effects of having a plug.
func (*Specification) AddPermanentSlot ¶
func (spec *Specification) AddPermanentSlot(iface interfaces.Interface, slot *snap.SlotInfo) error
AddPermanentSlot records seccomp-specific side-effects of having a slot.
func (*Specification) AddSnippet ¶
func (spec *Specification) AddSnippet(snippet string)
AddSnippet adds a new seccomp snippet.
func (*Specification) SecurityTags ¶
func (spec *Specification) SecurityTags() []string
SecurityTags returns a list of security tags which have a snippet.
func (*Specification) SnapAppSet ¶
func (spec *Specification) SnapAppSet() *interfaces.SnapAppSet
func (*Specification) SnippetForTag ¶
func (spec *Specification) SnippetForTag(tag string) string
SnippetForTag returns a combined snippet for given security tag with individual snippets joined with newline character. Empty string is returned for non-existing security tag.
func (*Specification) Snippets ¶
func (spec *Specification) Snippets() map[string][]string
Snippets returns a deep copy of all the added snippets.