seccomp

package

v0.0.0-...-683b059 Latest Latest Go to latest Published: Apr 23, 2022 License: BSD-3-Clause Imports: 9 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

chromium.googlesource.com/chromiumos/platform/tast-tests

Documentation ¶

Overview ¶

Package seccomp leverages integration tests for generating Minijail seccomp policies.

Index ¶

func CommandContext(ctx context.Context, logPath, name string, arg ...string) *testexec.Cmd
type Filter
type PolicyGenerator
- func NewPolicyGenerator() *PolicyGenerator

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func CommandContext ¶

func CommandContext(ctx context.Context, logPath, name string, arg ...string) *testexec.Cmd

CommandContext wraps the functionality of testexec.CommandContext injecting the strace command and arguments writing the strace log to the specified path.

Types ¶

type Filter ¶

type Filter int

Filter is an enum for conveying whether or not the target process performs Minijail sandboxing for the purpose of ignoring syscalls before the sandbox has been entered.

const (
	IncludeAllSyscalls Filter = iota
	ExcludeSyscallsBeforeSandboxing
)

See the comment on type Filter.

type PolicyGenerator ¶

type PolicyGenerator struct {
	// contains filtered or unexported fields
}

PolicyGenerator keeps track of what syscalls have been observed as well as values of a subset of arguments for the purpose of generating a Minijail seccomp policy.

It is a reimplementation of https://chromium.googlesource.com/aosp/platform/external/minijail/+/HEAD/tools/generate_seccomp_policy.py with the goal of not making python a dependency of tast.

func NewPolicyGenerator ¶

func NewPolicyGenerator() *PolicyGenerator

NewPolicyGenerator creates an initialized value of PolicyGenerator with sensitive syscalls marked so they can be filtered by arguments.

func (*PolicyGenerator) AddStraceLog ¶

func (m *PolicyGenerator) AddStraceLog(logFile string, filter Filter) (rerr error)

AddStraceLog reads the result from the strace log and applies it to the Minijail policy generator.

func (*PolicyGenerator) AddSyscall ¶

func (m *PolicyGenerator) AddSyscall(syscall, params string) bool

AddSyscall records a particular syscall in the frequency data. For sensitive system calls params will be parsed so an argument filter can be computed.

func (*PolicyGenerator) GeneratePolicy ¶

func (m *PolicyGenerator) GeneratePolicy() string

GeneratePolicy returns the Minijail policy that results from the system call frequency data in decreasing order of occurrence. Ties are sorted in alphabetical order.

func (*PolicyGenerator) LookupSyscall ¶

func (m *PolicyGenerator) LookupSyscall(syscall string) (int, string)

LookupSyscall gets the frequency count and seccomp policy rule for a system call. If the system call isn't found in the frequency data, {0, ""} is returned.

Source Files ¶

View all Source files

policy_generator.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL