seccomp

package
v0.0.0-...-04e5504 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 3, 2021 License: Apache-2.0 Imports: 23 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CallForkmknod 

func CallForkmknod(c Instance, dev deviceConfig.Device, requestPID int) int

CallForkmknod executes fork mknod.

func CreateProfile 

func CreateProfile(s *state.State, c Instance) error

CreateProfile creates a seccomp profile.

func DeleteProfile 

func DeleteProfile(c Instance)

DeleteProfile removes a seccomp profile.

func InstanceNeedsIntercept 

func InstanceNeedsIntercept(s *state.State, c Instance) (bool, error)

InstanceNeedsIntercept returns whether instance needs intercept.

func InstanceNeedsPolicy 

func InstanceNeedsPolicy(c Instance) bool

InstanceNeedsPolicy returns whether the instance needs a policy or not.

func MountSyscallFilter 

func MountSyscallFilter(config map[string]string) []string

MountSyscallFilter creates a mount syscall filter from the config.

func ProfilePath 

func ProfilePath(c Instance) string

ProfilePath returns the seccomp path for the instance.

func SyscallInterceptMountFilter 

func SyscallInterceptMountFilter(config map[string]string) (map[string]string, error)

SyscallInterceptMountFilter creates a new mount syscall interception filter

func TaskIDs 

func TaskIDs(pid int) (int64, int64, int64, int64, error)

TaskIDs returns the task IDs for a process.

Types

type Instance 

type Instance interface {
	Name() string
	Project() string
	ExpandedConfig() map[string]string
	IsPrivileged() bool
	Architecture() int
	RootfsPath() string
	CurrentIdmap() (*idmap.IdmapSet, error)
	DiskIdmap() (*idmap.IdmapSet, error)
	InsertSeccompUnixDevice(prefix string, m deviceConfig.Device, pid int) error
}

Instance is a seccomp specific instance interface. This is used rather than instance.Instance to avoid import loops.

type Iovec 

type Iovec struct {
	// contains filtered or unexported fields
}

Iovec defines an iovec to move data between kernel and userspace.

func NewSeccompIovec 

func NewSeccompIovec(ucred *ucred.UCred) *Iovec

NewSeccompIovec creates a new seccomp iovec.

func (*Iovec) IsValidSeccompIovec 

func (siov *Iovec) IsValidSeccompIovec(size uint64) bool

IsValidSeccompIovec checks whether a seccomp iovec is valid.

func (*Iovec) PutSeccompIovec 

func (siov *Iovec) PutSeccompIovec()

PutSeccompIovec puts a seccomp iovec.

func (*Iovec) ReceiveSeccompIovec 

func (siov *Iovec) ReceiveSeccompIovec(fd int) (uint64, error)

ReceiveSeccompIovec receives a seccomp iovec.

func (*Iovec) SendSeccompIovec 

func (siov *Iovec) SendSeccompIovec(fd int, errno int, flags uint32) error

SendSeccompIovec sends seccomp iovec.

type MknodArgs 

type MknodArgs struct {
	// contains filtered or unexported fields
}

MknodArgs arguments for mknod.

type MountArgs 

type MountArgs struct {
	// contains filtered or unexported fields
}

MountArgs arguments for mount.

type Server 

type Server struct {
	// contains filtered or unexported fields
}

Server defines a seccomp server.

func NewSeccompServer 

func NewSeccompServer(s *state.State, path string, findPID func(pid int32, state *state.State) (Instance, error)) (*Server, error)

NewSeccompServer creates a new seccomp server.

func (*Server) HandleInvalid 

func (s *Server) HandleInvalid(fd int, siov *Iovec)

HandleInvalid sends a dummy message to LXC. LXC will notice the short write and send a default message to the kernel thereby avoiding a 30s hang.

func (*Server) HandleMknodSyscall 

func (s *Server) HandleMknodSyscall(c Instance, siov *Iovec) int

HandleMknodSyscall handles a mknod syscall.

func (*Server) HandleMknodatSyscall 

func (s *Server) HandleMknodatSyscall(c Instance, siov *Iovec) int

HandleMknodatSyscall handles a mknodat syscall.

func (*Server) HandleMountSyscall 

func (s *Server) HandleMountSyscall(c Instance, siov *Iovec) int

HandleMountSyscall handles mount syscalls.

func (*Server) HandleSetxattrSyscall 

func (s *Server) HandleSetxattrSyscall(c Instance, siov *Iovec) int

HandleSetxattrSyscall handles setxattr syscalls.

func (*Server) HandleValid 

func (s *Server) HandleValid(fd int, siov *Iovec, findPID func(pid int32, state *state.State) (Instance, error)) error

HandleValid handles a valid seccomp notifier message.

func (*Server) MountSyscallShift 

func (s *Server) MountSyscallShift(c Instance) bool

MountSyscallShift checks whether this mount syscall needs shiftfs.

func (*Server) MountSyscallValid 

func (s *Server) MountSyscallValid(c Instance, args *MountArgs) (bool, string)

MountSyscallValid checks whether this is a mount syscall we intercept.

func (*Server) Stop 

func (s *Server) Stop() error

Stop stops a seccomp server.

type SetxattrArgs 

type SetxattrArgs struct {
	// contains filtered or unexported fields
}

SetxattrArgs arguments for setxattr.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.