Documentation
¶
Index ¶
- func DefaultProfile() *seccomp.Seccomp
- type Config
- func (c *Config) IsDisabled() bool
- func (c *Config) LoadDefaultProfile() error
- func (c *Config) LoadProfile(profilePath string) error
- func (c *Config) NotifierPath() string
- func (c *Config) Profile() *seccomp.Seccomp
- func (c *Config) SetNotifierPath(path string)
- func (c *Config) SetUseDefaultWhenEmpty(to bool)
- func (c *Config) Setup(ctx context.Context, msgChan chan Notification, containerID string, ...) (*Notifier, string, error)
- func (c *Config) UseDefaultWhenEmpty() bool
- type Notification
- type Notifier
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func DefaultProfile ¶ added in v1.24.0
DefaultProfile is used to allow mutations from the DefaultProfile from the seccomp library. Specifically, it is used to filter `unshare` from the default profile, as it is a risky syscall for unprivileged containers to have access to.
Types ¶
type Config ¶
type Config struct {
// contains filtered or unexported fields
}
Config is the global seccomp configuration type
func (*Config) IsDisabled ¶
IsDisabled returns true if seccomp is disabled either via the missing `seccomp` buildtag or globally by the system.
func (*Config) LoadDefaultProfile ¶ added in v1.25.0
LoadDefaultProfile sets the internal default profile.
func (*Config) LoadProfile ¶
LoadProfile can be used to load a seccomp profile from the provided path. This method will not fail if seccomp is disabled.
func (*Config) NotifierPath ¶ added in v1.26.0
NotifierPath returns the currently used seccomp notifier base path.
func (*Config) SetNotifierPath ¶ added in v1.26.0
SetNotifierPath sets the default path for creating seccomp notifier sockets.
func (*Config) SetUseDefaultWhenEmpty ¶ added in v1.24.0
SetUseDefaultWhenEmpty uses the default seccomp profile if true is passed as argument, otherwise unconfined.
func (*Config) Setup ¶ added in v1.21.0
func (c *Config) Setup( ctx context.Context, msgChan chan Notification, containerID string, annotations map[string]string, specGenerator *generate.Generator, profileField *types.SecurityProfile, ) (*Notifier, string, error)
Setup can be used to setup the seccomp profile.
func (*Config) UseDefaultWhenEmpty ¶ added in v1.19.4
Returns whether the seccomp config is set to use default profile when the profile is empty
type Notification ¶ added in v1.26.0
type Notification struct {
// contains filtered or unexported fields
}
Notification is a seccomp notification which gets sent to the CRI-O server.
func (*Notification) ContainerID ¶ added in v1.26.0
func (n *Notification) ContainerID() string
ContainerID returns the container identifier for the notification.
func (*Notification) Ctx ¶ added in v1.26.0
func (n *Notification) Ctx() context.Context
Ctx returns the context of the notification.
func (*Notification) Syscall ¶ added in v1.26.0
func (n *Notification) Syscall() string
Syscall returns the syscall name for the notification.
type Notifier ¶ added in v1.26.0
type Notifier struct {
// contains filtered or unexported fields
}
Notifier wraps a seccomp notifier instance for a container.
func NewNotifier ¶ added in v1.26.0
func NewNotifier( ctx context.Context, msgChan chan Notification, containerID, listenerPath string, annotationMap map[string]string, ) (*Notifier, error)
NewNotifier starts the notifier for the provided arguments.
func (*Notifier) AddSyscall ¶ added in v1.26.0
AddSyscall can be used to add a syscall to the notifier result.
func (*Notifier) OnExpired ¶ added in v1.26.0
func (n *Notifier) OnExpired(callback func())
OnExpired calls the provided callback if the internal timer has been expired. It refreshes the timer for each call of this method.
func (*Notifier) StopContainers ¶ added in v1.26.0
StopContainers returns if the notifier should stop containers or not.
func (*Notifier) UsedSyscalls ¶ added in v1.26.0
UsedSyscalls returns a string representation of the used syscalls, sorted by their name.
Source Files