seccomp

package
v0.0.0-...-263a040 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 8, 2024 License: GPL-3.0 Imports: 18 Imported by: 0

Documentation

Overview

Package seccomp implements integration between snapd and snap-confine around seccomp.

Snappy creates so-called seccomp profiles for each application (for each snap) present in the system. Upon each execution of snap-confine, the profile is read and "compiled" to an eBPF program and injected into the kernel for the duration of the execution of the process.

There is no binary cache for seccomp, each time the launcher starts an application the profile is parsed and re-compiled.

The actual profiles are stored in /var/lib/snappy/seccomp/bpf/*.{src,bin}. This directory is hard-coded in snap-confine.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func MockSnapSeccompVersionInfo

func MockSnapSeccompVersionInfo(versionInfo string) (restore func())

MockSnapSeccompVersionInfo is for use in tests only.

Types

type Backend

type Backend struct {
	// contains filtered or unexported fields
}

Backend is responsible for maintaining seccomp profiles for snap-confine.

func (*Backend) Initialize

Initialize ensures that the global profile is on disk and interrogates libseccomp wrapper to generate a version string that will be used to determine if we need to recompile seccomp policy due to system changes outside of snapd.

func (*Backend) Name

func (b *Backend) Name() interfaces.SecuritySystem

Name returns the name of the backend.

func (*Backend) NewSpecification

NewSpecification returns an empty seccomp specification.

func (*Backend) Remove

func (b *Backend) Remove(snapName string) error

Remove removes seccomp profiles of a given snap.

func (*Backend) SandboxFeatures

func (b *Backend) SandboxFeatures() []string

SandboxFeatures returns the list of seccomp features supported by the kernel and userspace.

func (*Backend) Setup

Setup creates seccomp profiles specific to a given snap. The snap can be in developer mode to make security violations non-fatal to the offending application process.

This method should be called after changing plug, slots, connections between them or application present in the snap.

type Compiler

type Compiler interface {
	Compile(in, out string) error
	VersionInfo() (seccomp.VersionInfo, error)
}

type Specification

type Specification struct {
	// contains filtered or unexported fields
}

Specification keeps all the seccomp snippets.

func NewSpecification

func NewSpecification(appSet *interfaces.SnapAppSet) *Specification

func (*Specification) AddConnectedPlug

func (spec *Specification) AddConnectedPlug(iface interfaces.Interface, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error

AddConnectedPlug records seccomp-specific side-effects of having a connected plug.

func (*Specification) AddConnectedSlot

func (spec *Specification) AddConnectedSlot(iface interfaces.Interface, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error

AddConnectedSlot records seccomp-specific side-effects of having a connected slot.

func (*Specification) AddPermanentPlug

func (spec *Specification) AddPermanentPlug(iface interfaces.Interface, plug *snap.PlugInfo) error

AddPermanentPlug records seccomp-specific side-effects of having a plug.

func (*Specification) AddPermanentSlot

func (spec *Specification) AddPermanentSlot(iface interfaces.Interface, slot *snap.SlotInfo) error

AddPermanentSlot records seccomp-specific side-effects of having a slot.

func (*Specification) AddSnippet

func (spec *Specification) AddSnippet(snippet string)

AddSnippet adds a new seccomp snippet.

func (*Specification) SecurityTags

func (spec *Specification) SecurityTags() []string

SecurityTags returns a list of security tags which have a snippet.

func (*Specification) SnapAppSet

func (spec *Specification) SnapAppSet() *interfaces.SnapAppSet

func (*Specification) SnippetForTag

func (spec *Specification) SnippetForTag(tag string) string

SnippetForTag returns a combined snippet for given security tag with individual snippets joined with newline character. Empty string is returned for non-existing security tag.

func (*Specification) Snippets

func (spec *Specification) Snippets() map[string][]string

Snippets returns a deep copy of all the added snippets.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL