package seccomp

import "github.com/docker/libcontainer/seccomp"

Package seccomp provides native seccomp ( https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt ) support for go.

Index ¶

• Variables
• type Action
• func Error(code syscall.Errno) Action
• type Arg
• type Args
• type Context
• func New() *Context
• func (c *Context) Add(s *Syscall)
• func (c *Context) Load() error
• func (c *Context) Remove(call uint32)
• type Operator
• type Syscall

Variables ¶

var (
	ErrUnresolvedLabel      = errors.New("seccomp: unresolved label")
	ErrDuplicateLabel       = errors.New("seccomp: duplicate label use")
	ErrUnsupportedOperation = errors.New("seccomp: unsupported operation for argument")
)

Types ¶

type Action ¶

type Action int

Action is the type of action that will be taken when a syscall is performed.

const (
	Kill  Action = iota - 3 // Kill the calling process of the syscall.
	Trap                    // Trap and coredump the calling process of the syscall.
	Allow                   // Allow the syscall to be completed.
)

func Error ¶

func Error(code syscall.Errno) Action

Error returns an Action that will be used to send the calling process the specified errno when the syscall is made.

type Arg ¶

type Arg struct {
	Index uint32   // index of args which start from zero
	Op    Operator // operation, such as EQ/NE/GE/LE
	Value uint     // the value of arg
}

Arg represents an argument to the syscall with the argument's index, the operator to apply when matching, and the argument's value at that time.

type Args ¶

type Args [][]Arg

type Context ¶

type Context struct {
	// contains filtered or unexported fields
}

Context holds syscalls for the current process to limit the type of actions the calling process can make.

func New ¶

func New() *Context

New returns a new syscall context for use.

func (*Context) Add ¶

func (c *Context) Add(s *Syscall)

Add will add the specified syscall, action, and arguments to the seccomp Context.

func (*Context) Load ¶

func (c *Context) Load() error

Load will apply the Context to the calling process makeing any secccomp process changes apply after the context is loaded.

func (*Context) Remove ¶

func (c *Context) Remove(call uint32)

Remove removes the specified syscall configuration from the Context.

type Operator ¶

type Operator int

Operator that is used for argument comparison.

const (
	EqualTo Operator = iota
	NotEqualTo
	GreatherThan
	LessThan
	MaskEqualTo
)

type Syscall ¶

type Syscall struct {
	// Value is the syscall number.
	Value uint32
	// Action is the action to perform when the specified syscall is made.
	Action Action
	// Args are filters that can be specified on the arguments to the syscall.
	Args Args
}

Syscall is the specified syscall, action, and any type of arguments to filter on.

Source Files ¶

bpf.go context.go filter.go jump_amd64.go seccomp.go