seccomp

package
v24.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 25, 2023 License: Apache-2.0 Imports: 9 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GetDefaultProfile

func GetDefaultProfile(rs *specs.Spec) (*specs.LinuxSeccomp, error)

GetDefaultProfile returns the default seccomp profile.

func LoadProfile

func LoadProfile(body string, rs *specs.Spec) (*specs.LinuxSeccomp, error)

LoadProfile takes a json string and decodes the seccomp profile.

Types

type Architecture

type Architecture struct {
	Arch      specs.Arch   `json:"architecture"`
	SubArches []specs.Arch `json:"subArchitectures"`
}

Architecture is used to represent a specific architecture and its sub-architectures

type Filter

type Filter struct {
	Caps   []string `json:"caps,omitempty"`
	Arches []string `json:"arches,omitempty"`

	// MinKernel describes the minimum kernel version the rule must be applied
	// on, in the format "<kernel version>.<major revision>" (e.g. "3.12").
	//
	// When matching the kernel version of the host, minor revisions, and distro-
	// specific suffixes are ignored, which means that "3.12.25-gentoo", "3.12-1-amd64",
	// "3.12", and "3.12-rc5" are considered equal (kernel 3, major revision 12).
	MinKernel *KernelVersion `json:"minKernel,omitempty"`
}

Filter is used to conditionally apply Seccomp rules

type KernelVersion

type KernelVersion struct {
	Kernel uint64 // Version of the Kernel (i.e., the "4" in "4.1.2-generic")
	Major  uint64 // Major revision of the Kernel (i.e., the "1" in "4.1.2-generic")
}

KernelVersion holds information about the kernel.

func (*KernelVersion) MarshalJSON

func (k *KernelVersion) MarshalJSON() ([]byte, error)

MarshalJSON implements json.Unmarshaler for KernelVersion

func (*KernelVersion) String

func (k *KernelVersion) String() string

String implements fmt.Stringer for KernelVersion

func (*KernelVersion) UnmarshalJSON

func (k *KernelVersion) UnmarshalJSON(version []byte) error

UnmarshalJSON implements json.Marshaler for KernelVersion

type Seccomp

type Seccomp struct {
	specs.LinuxSeccomp

	// ArchMap contains a list of Architectures and Sub-architectures for the
	// profile. When generating the profile, this list is expanded to a
	// []specs.Arch, to propagate the Architectures field of the profile.
	ArchMap []Architecture `json:"archMap,omitempty"`

	// Syscalls contains lists of syscall rules. Rules can define conditions
	// for them to be included or excluded in the resulting profile (based on
	// on kernel version, architecture, capabilities, etc.). These lists are
	// expanded to an specs.Syscall  When generating the profile, these lists
	// are expanded to a []specs.LinuxSyscall.
	Syscalls []*Syscall `json:"syscalls"`
}

Seccomp represents the config for a seccomp profile for syscall restriction. It is used to marshal/unmarshal the JSON profiles as accepted by docker, and extends the runtime-spec's specs.LinuxSeccomp, overriding some fields to provide the ability to define conditional rules based on the host's kernel version, architecture, and the container's capabilities.

func DefaultProfile

func DefaultProfile() *Seccomp

DefaultProfile defines the allowed syscalls for the default seccomp profile.

type Syscall

type Syscall struct {
	specs.LinuxSyscall
	// Deprecated: kept for backward compatibility with old JSON profiles, use Names instead
	Name     string  `json:"name,omitempty"`
	Comment  string  `json:"comment,omitempty"`
	Includes *Filter `json:"includes,omitempty"`
	Excludes *Filter `json:"excludes,omitempty"`
}

Syscall is used to match a group of syscalls in Seccomp. It extends the runtime-spec Syscall type, adding a "Name" field for backward compatibility with older JSON representations, additional "Comment" metadata, and conditional rules ("Includes", "Excludes") used to generate a runtime-spec Seccomp profile based on the container (capabilities) and host's (arch, kernel) configuration.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL