seccomp

package
v1.1.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 8, 2016 License: Apache-2.0, Apache-2.0 Imports: 5 Imported by: 0

Documentation

Overview

Package seccomp provides native seccomp ( https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt ) support for go.

Index

Constants

This section is empty.

Variables

View Source
var (
	ErrUnresolvedLabel      = errors.New("seccomp: unresolved label")
	ErrDuplicateLabel       = errors.New("seccomp: duplicate label use")
	ErrUnsupportedOperation = errors.New("seccomp: unsupported operation for argument")
)

Functions

This section is empty.

Types

type Action

type Action int

Action is the type of action that will be taken when a syscall is performed.

const (
	Kill  Action = iota - 3 // Kill the calling process of the syscall.
	Trap                    // Trap and coredump the calling process of the syscall.
	Allow                   // Allow the syscall to be completed.
)

func Error

func Error(code syscall.Errno) Action

Error returns an Action that will be used to send the calling process the specified errno when the syscall is made.

type Arg

type Arg struct {
	Index uint32   // index of args which start from zero
	Op    Operator // operation, such as EQ/NE/GE/LE
	Value uint     // the value of arg
}

Arg represents an argument to the syscall with the argument's index, the operator to apply when matching, and the argument's value at that time.

type Args

type Args [][]Arg

type Context

type Context struct {
	// contains filtered or unexported fields
}

Context holds syscalls for the current process to limit the type of actions the calling process can make.

func New

func New() *Context

New returns a new syscall context for use.

func (*Context) Add

func (c *Context) Add(s *Syscall)

Add will add the specified syscall, action, and arguments to the seccomp Context.

func (*Context) Load

func (c *Context) Load() error

Load will apply the Context to the calling process makeing any secccomp process changes apply after the context is loaded.

func (*Context) Remove

func (c *Context) Remove(call uint32)

Remove removes the specified syscall configuration from the Context.

type Operator

type Operator int

Operator that is used for argument comparison.

const (
	EqualTo Operator = iota
	NotEqualTo
	GreatherThan
	LessThan
	MaskEqualTo
)

type Syscall

type Syscall struct {
	// Value is the syscall number.
	Value uint32
	// Action is the action to perform when the specified syscall is made.
	Action Action
	// Args are filters that can be specified on the arguments to the syscall.
	Args Args
}

Syscall is the specified syscall, action, and any type of arguments to filter on.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL