Documentation ¶
Index ¶
- Constants
- Variables
- func ConvertCIDRToSocketKey(CIDR string) [8]byte
- func ConvertToInodes(paths []string, pathPrefixOfContainers *[]string) []uint64
- func DoLgetxattr(path, attr string, dest []byte) (int, error)
- func GenerateHostProfileBody(securityPolicies []tp.HostSecurityPolicy) (int, string)
- func GenerateHostProfileFoot() string
- func GenerateHostProfileHead() string
- func GenerateProfileBody(securityPolicies []tp.SecurityPolicy) (int, string)
- func GenerateProfileFoot() string
- func GenerateProfileHead(...) string
- func GetSELinuxType(path string) (string, error)
- func KABEGetMapByProgName(name edt.KABPFProgName) edt.KABPFMap
- func KABEGetProg(name edt.KABPFProgName) edt.KABPFProg
- func Lgetxattr(path, attr string) ([]byte, error)
- type AppArmorEnforcer
- func (ae *AppArmorEnforcer) CreateAppArmorHostProfile() error
- func (ae *AppArmorEnforcer) DestroyAppArmorEnforcer() error
- func (ae *AppArmorEnforcer) GenerateAppArmorHostProfile(secPolicies []tp.HostSecurityPolicy) (int, string, bool)
- func (ae *AppArmorEnforcer) GenerateAppArmorProfile(appArmorProfile string, securityPolicies []tp.SecurityPolicy) (int, string, bool)
- func (ae *AppArmorEnforcer) RegisterAppArmorHostProfile() bool
- func (ae *AppArmorEnforcer) RegisterAppArmorProfile(profileName string) bool
- func (ae *AppArmorEnforcer) RemoveAppArmorHostProfile() error
- func (ae *AppArmorEnforcer) UnregisterAppArmorHostProfile() bool
- func (ae *AppArmorEnforcer) UnregisterAppArmorProfile(profileName string) bool
- func (ae *AppArmorEnforcer) UpdateAppArmorHostProfile(secPolicies []tp.HostSecurityPolicy)
- func (ae *AppArmorEnforcer) UpdateAppArmorProfile(endPoint tp.EndPoint, appArmorProfile string, ...)
- func (ae *AppArmorEnforcer) UpdateHostSecurityPolicies(secPolicies []tp.HostSecurityPolicy)
- func (ae *AppArmorEnforcer) UpdateSecurityPolicies(endPoint tp.EndPoint)
- type BPFEnforcer
- func (be *BPFEnforcer) CleanupBPFPolicies(endPoint *tp.EndPoint)
- func (be *BPFEnforcer) DeleteInodePidNSID(pgName tp.BPFPolicyType, pidNSID uint64) error
- func (be *BPFEnforcer) DeleteSocketCIDR(pgName tp.BPFPolicyType, CIDR string) error
- func (be *BPFEnforcer) DestroyBPFEnforcer() error
- func (be *BPFEnforcer) DestroyEnforceMaps(bman *edt.KABPFManager) error
- func (be *BPFEnforcer) DestroyEnforcePrograms(bman *edt.KABPFManager) error
- func (be *BPFEnforcer) HostSecurityPolicyToBPFPolicy(secHostPolicy tp.HostSecurityPolicy) []tp.BPFPolicy
- func (be *BPFEnforcer) InitializeEnforceMaps(bman *edt.KABPFManager) error
- func (be *BPFEnforcer) InitializeEnforcePrograms(bman *edt.KABPFManager) error
- func (be *BPFEnforcer) UpdateHostSecurityPolicies(secHostPolicies []tp.HostSecurityPolicy)
- func (be *BPFEnforcer) UpdateInodeMap(pgName tp.BPFPolicyType, pidNSID uint64, inodes [MAX_POLICY_VALUES]uint64) error
- func (be *BPFEnforcer) UpdateSecurityPolicies(endPoint *tp.EndPoint)
- func (be *BPFEnforcer) UpdateSocketMap(pgName tp.BPFPolicyType, CIDR string, pidNSIDs [MAX_POLICY_VALUES]uint64) error
- type InodeBPCKSECMapElement
- func (indbpcksecme *InodeBPCKSECMapElement) KeyPointer() unsafe.Pointer
- func (indbpcksecme *InodeBPCKSECMapElement) MapName() string
- func (indbpcksecme *InodeBPCKSECMapElement) SetFoundValue(value []byte)
- func (indbpcksecme *InodeBPCKSECMapElement) SetKey(pidns uint64)
- func (indbpcksecme *InodeBPCKSECMapElement) SetValue(inodes [128]uint64)
- func (indbpcksecme *InodeBPCKSECMapElement) ValuePointer() unsafe.Pointer
- type InodeMkdirMapElement
- func (indmkme *InodeMkdirMapElement) KeyPointer() unsafe.Pointer
- func (indmkme *InodeMkdirMapElement) MapName() string
- func (indmkme *InodeMkdirMapElement) SetFoundValue(value []byte)
- func (indmkme *InodeMkdirMapElement) SetKey(pidns uint64)
- func (indmkme *InodeMkdirMapElement) SetValue(inodes [128]uint64)
- func (indmkme *InodeMkdirMapElement) ValuePointer() unsafe.Pointer
- type InodePermissionMapElement
- func (indpme *InodePermissionMapElement) KeyPointer() unsafe.Pointer
- func (indpme *InodePermissionMapElement) MapName() string
- func (indpme *InodePermissionMapElement) SetFoundValue(value []byte)
- func (indpme *InodePermissionMapElement) SetKey(pidns uint64)
- func (indpme *InodePermissionMapElement) SetValue(inodes [MAX_POLICY_VALUES]uint64)
- func (indpme *InodePermissionMapElement) ValuePointer() unsafe.Pointer
- type InodeRmdirMapElement
- func (indrmme *InodeRmdirMapElement) KeyPointer() unsafe.Pointer
- func (indrmme *InodeRmdirMapElement) MapName() string
- func (indrmme *InodeRmdirMapElement) SetFoundValue(value []byte)
- func (indrmme *InodeRmdirMapElement) SetKey(pidns uint64)
- func (indrmme *InodeRmdirMapElement) SetValue(inodes [128]uint64)
- func (indrmme *InodeRmdirMapElement) ValuePointer() unsafe.Pointer
- type RuntimeEnforcer
- func (re *RuntimeEnforcer) CleanupBPFPolicies(endPoint tp.EndPoint)
- func (re *RuntimeEnforcer) DestroyRuntimeEnforcer() error
- func (re *RuntimeEnforcer) UpdateAppArmorProfiles(action string, profiles map[string]string)
- func (re *RuntimeEnforcer) UpdateHostSecurityPolicies(secPolicies []tp.HostSecurityPolicy)
- func (re *RuntimeEnforcer) UpdateSELinuxProfiles(action string, profiles map[string]string, hostVolumes []tp.HostVolumeMount)
- func (re *RuntimeEnforcer) UpdateSecurityPolicies(endPoint *tp.EndPoint)
- type SELinuxEnforcer
- func (se *SELinuxEnforcer) DestroySELinuxEnforcer() error
- func (se *SELinuxEnforcer) GenerateSELinuxProfile(endPoint tp.EndPoint, profileName string, securityPolicies []tp.SecurityPolicy) (int, string, bool)
- func (se *SELinuxEnforcer) RegisterSELinuxProfile(containerName string, hostVolumes []tp.HostVolumeMount, profileName string) bool
- func (se *SELinuxEnforcer) UnregisterSELinuxProfile(profileName string) bool
- func (se *SELinuxEnforcer) UpdateHostSecurityPolicies(secPolicies []tp.HostSecurityPolicy)
- func (se *SELinuxEnforcer) UpdateSELinuxProfile(endPoint tp.EndPoint, seLinuxProfile string, ...)
- func (se *SELinuxEnforcer) UpdateSecurityPolicies(endPoint tp.EndPoint)
- type SocketConnectMapElement
- func (skcnme *SocketConnectMapElement) KeyPointer() unsafe.Pointer
- func (skcnme *SocketConnectMapElement) MapName() string
- func (skcnme *SocketConnectMapElement) SetFoundValue(value []byte)
- func (skcnme *SocketConnectMapElement) SetKey(IPCIDR [8]byte)
- func (skcnme *SocketConnectMapElement) SetValue(pidNSIDs [MAX_POLICY_VALUES]uint64)
- func (skcnme *SocketConnectMapElement) ValuePointer() unsafe.Pointer
- type SocketSendmsgMapElement
- func (sksmsgme *SocketSendmsgMapElement) KeyPointer() unsafe.Pointer
- func (sksmsgme *SocketSendmsgMapElement) MapName() string
- func (sksmsgme *SocketSendmsgMapElement) SetFoundValue(value []byte)
- func (sksmsgme *SocketSendmsgMapElement) SetKey(IPCIDR [8]byte)
- func (sksmsgme *SocketSendmsgMapElement) SetValue(pidNSIDs [MAX_POLICY_VALUES]uint64)
- func (sksmsgme *SocketSendmsgMapElement) ValuePointer() unsafe.Pointer
Constants ¶
const ( KABESocketConnectMap edt.KABPFMapName = "socket_connect_map" KABESocketConnectMapFile edt.KABPFObjFileName = "socket.bpf.o" KABESocketSendmsgMap edt.KABPFMapName = "socket_sendmsg_map" KABESocketSendmsgMapFile edt.KABPFObjFileName = "socket.bpf.o" KABEInodePermissionMap edt.KABPFMapName = "inode_permission_map" KABEInodePermissionMapFile edt.KABPFObjFileName = "inode.bpf.o" KABEInodeMkdirMap edt.KABPFMapName = "inode_mkdir_map" KABEInodeMkdirMapFile edt.KABPFObjFileName = "inode.bpf.o" KABEInodeRmdirMap edt.KABPFMapName = "inode_rmdir_map" KABEInodeRmdirMapFile edt.KABPFObjFileName = "inode.bpf.o" KABEInodeBPCKSECMap edt.KABPFMapName = "bprm_check_security_map" KABEInodeBPCKSECMapFile edt.KABPFObjFileName = "inode.bpf.o" )
const ( KABEHelloProg edt.KABPFProgName = "hello_prog" KABEHelloEvent edt.KABPFEventName = "file_open" KABEHelloProgFile edt.KABPFObjFileName = "hello.bpf.o" KABESocketConnectProg edt.KABPFProgName = "socket_connect_prog" KABESocketConnectEvent edt.KABPFEventName = "socket_connect" KABESocketConnectProgFile edt.KABPFObjFileName = "socket.bpf.o" KABESocketSendmsgProg edt.KABPFProgName = "socket_sendmsg_prog" KABESocketSendmsgEvent edt.KABPFEventName = "socket_sendmsg" KABESocketSendmsgProgFile edt.KABPFObjFileName = "socket.bpf.o" KABEInodePermissionProg edt.KABPFProgName = "inode_permission_prog" KABEInodePermissionEvent edt.KABPFEventName = "inode_permission" KABEInodePermissionProgFile edt.KABPFObjFileName = "inode.bpf.o" KABEInodeMkdirProg edt.KABPFProgName = "inode_mkdir_prog" KABEInodeMkdirEvent edt.KABPFEventName = "inode_mkdir" KABEInodeMkdirProgFile edt.KABPFObjFileName = "inode.bpf.o" KABEInodeRmdirProg edt.KABPFProgName = "inode_rmdir_prog" KABEInodeRmdirEvent edt.KABPFEventName = "inode_rmdir" KABEInodeRmdirProgFile edt.KABPFObjFileName = "inode.bpf.o" KABEInodeBPCKSECProg edt.KABPFProgName = "bprm_check_security_prog" KABEInodeBPCKSECEvent edt.KABPFEventName = "bprm_check_security" KABEInodeBPCKSECProgFile edt.KABPFObjFileName = "inode.bpf.o" )
const ( SELinuxDirReadOnly = "getattr search open read lock ioctl" SELinuxDirReadWrite = "getattr search open read lock ioctl setattr write link add_name remove_name reparent lock create unlink rename rmdir" SELinuxFileReadOnly = "getattr ioctl lock open read" SELinuxFileReadWrite = "getattr ioctl lock open read write append lock create rename link unlink" )
SELinux Flags
const (
BPFLSMObjPath = "./BPF/objs"
)
const MAX_POLICY_VALUES = 128
Variables ¶
var KABEProgs = [...]edt.KABPFProgName{ KABESocketConnectProg, KABESocketSendmsgProg, KABEInodePermissionProg, KABEInodeMkdirProg, KABEInodeRmdirProg, KABEInodeBPCKSECProg, }
Functions ¶
func ConvertCIDRToSocketKey ¶
///////////////// utils ///////////////////
func ConvertToInodes ¶
///////////////// utils ///////////////////
func DoLgetxattr ¶
DoLgetxattr is a wrapper that retries on EINTR
func GenerateHostProfileBody ¶
func GenerateHostProfileBody(securityPolicies []tp.HostSecurityPolicy) (int, string)
GenerateHostProfileBody Function
func GenerateHostProfileFoot ¶
func GenerateHostProfileFoot() string
GenerateHostProfileFoot Function
func GenerateHostProfileHead ¶
func GenerateHostProfileHead() string
GenerateHostProfileHead Function
func GenerateProfileBody ¶
func GenerateProfileBody(securityPolicies []tp.SecurityPolicy) (int, string)
GenerateProfileBody Function
func GenerateProfileHead ¶
func GenerateProfileHead(processWhiteList, fileWhiteList, networkWhiteList, capabilityWhiteList []string) string
GenerateProfileHead Function
func KABEGetMapByProgName ¶
func KABEGetMapByProgName(name edt.KABPFProgName) edt.KABPFMap
func KABEGetProg ¶
func KABEGetProg(name edt.KABPFProgName) edt.KABPFProg
Types ¶
type AppArmorEnforcer ¶
type AppArmorEnforcer struct { // host HostName string // options EnableKubeArmorPolicy bool EnableKubeArmorHostPolicy bool // logs Logger *fd.Feeder // default profile ApparmorDefault string // host profile HostProfile string // profiles for containers AppArmorProfiles map[string]int AppArmorProfilesLock *sync.Mutex }
AppArmorEnforcer Structure
func NewAppArmorEnforcer ¶
func NewAppArmorEnforcer(node tp.Node, logger *fd.Feeder) *AppArmorEnforcer
NewAppArmorEnforcer Function
func (*AppArmorEnforcer) CreateAppArmorHostProfile ¶
func (ae *AppArmorEnforcer) CreateAppArmorHostProfile() error
CreateAppArmorHostProfile Function
func (*AppArmorEnforcer) DestroyAppArmorEnforcer ¶
func (ae *AppArmorEnforcer) DestroyAppArmorEnforcer() error
DestroyAppArmorEnforcer Function
func (*AppArmorEnforcer) GenerateAppArmorHostProfile ¶
func (ae *AppArmorEnforcer) GenerateAppArmorHostProfile(secPolicies []tp.HostSecurityPolicy) (int, string, bool)
GenerateAppArmorHostProfile Function
func (*AppArmorEnforcer) GenerateAppArmorProfile ¶
func (ae *AppArmorEnforcer) GenerateAppArmorProfile(appArmorProfile string, securityPolicies []tp.SecurityPolicy) (int, string, bool)
GenerateAppArmorProfile Function
func (*AppArmorEnforcer) RegisterAppArmorHostProfile ¶
func (ae *AppArmorEnforcer) RegisterAppArmorHostProfile() bool
RegisterAppArmorHostProfile Function
func (*AppArmorEnforcer) RegisterAppArmorProfile ¶
func (ae *AppArmorEnforcer) RegisterAppArmorProfile(profileName string) bool
RegisterAppArmorProfile Function
func (*AppArmorEnforcer) RemoveAppArmorHostProfile ¶
func (ae *AppArmorEnforcer) RemoveAppArmorHostProfile() error
RemoveAppArmorHostProfile Function
func (*AppArmorEnforcer) UnregisterAppArmorHostProfile ¶
func (ae *AppArmorEnforcer) UnregisterAppArmorHostProfile() bool
UnregisterAppArmorHostProfile Function
func (*AppArmorEnforcer) UnregisterAppArmorProfile ¶
func (ae *AppArmorEnforcer) UnregisterAppArmorProfile(profileName string) bool
UnregisterAppArmorProfile Function
func (*AppArmorEnforcer) UpdateAppArmorHostProfile ¶
func (ae *AppArmorEnforcer) UpdateAppArmorHostProfile(secPolicies []tp.HostSecurityPolicy)
UpdateAppArmorHostProfile Function
func (*AppArmorEnforcer) UpdateAppArmorProfile ¶
func (ae *AppArmorEnforcer) UpdateAppArmorProfile(endPoint tp.EndPoint, appArmorProfile string, securityPolicies []tp.SecurityPolicy)
UpdateAppArmorProfile Function
func (*AppArmorEnforcer) UpdateHostSecurityPolicies ¶
func (ae *AppArmorEnforcer) UpdateHostSecurityPolicies(secPolicies []tp.HostSecurityPolicy)
UpdateHostSecurityPolicies Function
func (*AppArmorEnforcer) UpdateSecurityPolicies ¶
func (ae *AppArmorEnforcer) UpdateSecurityPolicies(endPoint tp.EndPoint)
UpdateSecurityPolicies Function
type BPFEnforcer ¶
type BPFEnforcer struct { // logs Logger *fd.Feeder // host HostName string // containers Containers *map[string]tp.Container // options EnableKubeArmorPolicy bool EnableKubeArmorHostPolicy bool // contains filtered or unexported fields }
BPFEnforcer Structure
func NewBPFEnforcer ¶
func NewBPFEnforcer(node tp.Node, logger *fd.Feeder, containers *map[string]tp.Container) *BPFEnforcer
NewBPFEnforcer Function
func (*BPFEnforcer) CleanupBPFPolicies ¶
func (be *BPFEnforcer) CleanupBPFPolicies(endPoint *tp.EndPoint)
func (*BPFEnforcer) DeleteInodePidNSID ¶
func (be *BPFEnforcer) DeleteInodePidNSID(pgName tp.BPFPolicyType, pidNSID uint64) error
func (*BPFEnforcer) DeleteSocketCIDR ¶
func (be *BPFEnforcer) DeleteSocketCIDR(pgName tp.BPFPolicyType, CIDR string) error
func (*BPFEnforcer) DestroyBPFEnforcer ¶
func (be *BPFEnforcer) DestroyBPFEnforcer() error
DestroyBPFEnforcer Function
func (*BPFEnforcer) DestroyEnforceMaps ¶
func (be *BPFEnforcer) DestroyEnforceMaps(bman *edt.KABPFManager) error
func (*BPFEnforcer) DestroyEnforcePrograms ¶
func (be *BPFEnforcer) DestroyEnforcePrograms(bman *edt.KABPFManager) error
func (*BPFEnforcer) HostSecurityPolicyToBPFPolicy ¶
func (be *BPFEnforcer) HostSecurityPolicyToBPFPolicy(secHostPolicy tp.HostSecurityPolicy) []tp.BPFPolicy
Parse security Host policy to BPF policy
func (*BPFEnforcer) InitializeEnforceMaps ¶
func (be *BPFEnforcer) InitializeEnforceMaps(bman *edt.KABPFManager) error
func (*BPFEnforcer) InitializeEnforcePrograms ¶
func (be *BPFEnforcer) InitializeEnforcePrograms(bman *edt.KABPFManager) error
func (*BPFEnforcer) UpdateHostSecurityPolicies ¶
func (be *BPFEnforcer) UpdateHostSecurityPolicies(secHostPolicies []tp.HostSecurityPolicy)
Not implemented
func (*BPFEnforcer) UpdateInodeMap ¶
func (be *BPFEnforcer) UpdateInodeMap(pgName tp.BPFPolicyType, pidNSID uint64, inodes [MAX_POLICY_VALUES]uint64) error
func (*BPFEnforcer) UpdateSecurityPolicies ¶
func (be *BPFEnforcer) UpdateSecurityPolicies(endPoint *tp.EndPoint)
UpdateSecurityPolicies Function
func (*BPFEnforcer) UpdateSocketMap ¶
func (be *BPFEnforcer) UpdateSocketMap(pgName tp.BPFPolicyType, CIDR string, pidNSIDs [MAX_POLICY_VALUES]uint64) error
type InodeBPCKSECMapElement ¶
func (*InodeBPCKSECMapElement) KeyPointer ¶
func (indbpcksecme *InodeBPCKSECMapElement) KeyPointer() unsafe.Pointer
func (*InodeBPCKSECMapElement) MapName ¶
func (indbpcksecme *InodeBPCKSECMapElement) MapName() string
func (*InodeBPCKSECMapElement) SetFoundValue ¶
func (indbpcksecme *InodeBPCKSECMapElement) SetFoundValue(value []byte)
func (*InodeBPCKSECMapElement) SetKey ¶
func (indbpcksecme *InodeBPCKSECMapElement) SetKey(pidns uint64)
func (*InodeBPCKSECMapElement) SetValue ¶
func (indbpcksecme *InodeBPCKSECMapElement) SetValue(inodes [128]uint64)
func (*InodeBPCKSECMapElement) ValuePointer ¶
func (indbpcksecme *InodeBPCKSECMapElement) ValuePointer() unsafe.Pointer
type InodeMkdirMapElement ¶
func (*InodeMkdirMapElement) KeyPointer ¶
func (indmkme *InodeMkdirMapElement) KeyPointer() unsafe.Pointer
func (*InodeMkdirMapElement) MapName ¶
func (indmkme *InodeMkdirMapElement) MapName() string
func (*InodeMkdirMapElement) SetFoundValue ¶
func (indmkme *InodeMkdirMapElement) SetFoundValue(value []byte)
func (*InodeMkdirMapElement) SetKey ¶
func (indmkme *InodeMkdirMapElement) SetKey(pidns uint64)
func (*InodeMkdirMapElement) SetValue ¶
func (indmkme *InodeMkdirMapElement) SetValue(inodes [128]uint64)
func (*InodeMkdirMapElement) ValuePointer ¶
func (indmkme *InodeMkdirMapElement) ValuePointer() unsafe.Pointer
type InodePermissionMapElement ¶
type InodePermissionMapElement struct { Key uint64 Value [MAX_POLICY_VALUES]uint64 }
func (*InodePermissionMapElement) KeyPointer ¶
func (indpme *InodePermissionMapElement) KeyPointer() unsafe.Pointer
func (*InodePermissionMapElement) MapName ¶
func (indpme *InodePermissionMapElement) MapName() string
func (*InodePermissionMapElement) SetFoundValue ¶
func (indpme *InodePermissionMapElement) SetFoundValue(value []byte)
func (*InodePermissionMapElement) SetKey ¶
func (indpme *InodePermissionMapElement) SetKey(pidns uint64)
func (*InodePermissionMapElement) SetValue ¶
func (indpme *InodePermissionMapElement) SetValue(inodes [MAX_POLICY_VALUES]uint64)
func (*InodePermissionMapElement) ValuePointer ¶
func (indpme *InodePermissionMapElement) ValuePointer() unsafe.Pointer
type InodeRmdirMapElement ¶
func (*InodeRmdirMapElement) KeyPointer ¶
func (indrmme *InodeRmdirMapElement) KeyPointer() unsafe.Pointer
func (*InodeRmdirMapElement) MapName ¶
func (indrmme *InodeRmdirMapElement) MapName() string
func (*InodeRmdirMapElement) SetFoundValue ¶
func (indrmme *InodeRmdirMapElement) SetFoundValue(value []byte)
func (*InodeRmdirMapElement) SetKey ¶
func (indrmme *InodeRmdirMapElement) SetKey(pidns uint64)
func (*InodeRmdirMapElement) SetValue ¶
func (indrmme *InodeRmdirMapElement) SetValue(inodes [128]uint64)
func (*InodeRmdirMapElement) ValuePointer ¶
func (indrmme *InodeRmdirMapElement) ValuePointer() unsafe.Pointer
type RuntimeEnforcer ¶
type RuntimeEnforcer struct { // logger Logger *fd.Feeder // LSM type EnforcerType string EnableBPFRE bool // contains filtered or unexported fields }
RuntimeEnforcer Structure
func NewRuntimeEnforcer ¶
func NewRuntimeEnforcer(node tp.Node, logger *fd.Feeder, containers *map[string]tp.Container) *RuntimeEnforcer
NewRuntimeEnforcer Function
func (*RuntimeEnforcer) CleanupBPFPolicies ¶
func (re *RuntimeEnforcer) CleanupBPFPolicies(endPoint tp.EndPoint)
func (*RuntimeEnforcer) DestroyRuntimeEnforcer ¶
func (re *RuntimeEnforcer) DestroyRuntimeEnforcer() error
DestroyRuntimeEnforcer Function
func (*RuntimeEnforcer) UpdateAppArmorProfiles ¶
func (re *RuntimeEnforcer) UpdateAppArmorProfiles(action string, profiles map[string]string)
UpdateAppArmorProfiles Function
func (*RuntimeEnforcer) UpdateHostSecurityPolicies ¶
func (re *RuntimeEnforcer) UpdateHostSecurityPolicies(secPolicies []tp.HostSecurityPolicy)
UpdateHostSecurityPolicies Function
func (*RuntimeEnforcer) UpdateSELinuxProfiles ¶
func (re *RuntimeEnforcer) UpdateSELinuxProfiles(action string, profiles map[string]string, hostVolumes []tp.HostVolumeMount)
UpdateSELinuxProfiles Function
func (*RuntimeEnforcer) UpdateSecurityPolicies ¶
func (re *RuntimeEnforcer) UpdateSecurityPolicies(endPoint *tp.EndPoint)
UpdateSecurityPolicies Function
type SELinuxEnforcer ¶
type SELinuxEnforcer struct { // logs Logger *fd.Feeder SELinuxProfiles map[string]int SELinuxProfilesLock *sync.Mutex SELinuxContextTemplates string }
SELinuxEnforcer Structure
func NewSELinuxEnforcer ¶
func NewSELinuxEnforcer(logger *fd.Feeder) *SELinuxEnforcer
NewSELinuxEnforcer Function
func (*SELinuxEnforcer) DestroySELinuxEnforcer ¶
func (se *SELinuxEnforcer) DestroySELinuxEnforcer() error
DestroySELinuxEnforcer Function
func (*SELinuxEnforcer) GenerateSELinuxProfile ¶
func (se *SELinuxEnforcer) GenerateSELinuxProfile(endPoint tp.EndPoint, profileName string, securityPolicies []tp.SecurityPolicy) (int, string, bool)
GenerateSELinuxProfile Function
func (*SELinuxEnforcer) RegisterSELinuxProfile ¶
func (se *SELinuxEnforcer) RegisterSELinuxProfile(containerName string, hostVolumes []tp.HostVolumeMount, profileName string) bool
RegisterSELinuxProfile Function
func (*SELinuxEnforcer) UnregisterSELinuxProfile ¶
func (se *SELinuxEnforcer) UnregisterSELinuxProfile(profileName string) bool
UnregisterSELinuxProfile Function
func (*SELinuxEnforcer) UpdateHostSecurityPolicies ¶
func (se *SELinuxEnforcer) UpdateHostSecurityPolicies(secPolicies []tp.HostSecurityPolicy)
UpdateHostSecurityPolicies Function
func (*SELinuxEnforcer) UpdateSELinuxProfile ¶
func (se *SELinuxEnforcer) UpdateSELinuxProfile(endPoint tp.EndPoint, seLinuxProfile string, securityPolicies []tp.SecurityPolicy)
UpdateSELinuxProfile Function
func (*SELinuxEnforcer) UpdateSecurityPolicies ¶
func (se *SELinuxEnforcer) UpdateSecurityPolicies(endPoint tp.EndPoint)
UpdateSecurityPolicies Function
type SocketConnectMapElement ¶
type SocketConnectMapElement struct { Key [8]byte Value [MAX_POLICY_VALUES]uint64 }
func (*SocketConnectMapElement) KeyPointer ¶
func (skcnme *SocketConnectMapElement) KeyPointer() unsafe.Pointer
func (*SocketConnectMapElement) MapName ¶
func (skcnme *SocketConnectMapElement) MapName() string
func (*SocketConnectMapElement) SetFoundValue ¶
func (skcnme *SocketConnectMapElement) SetFoundValue(value []byte)
func (*SocketConnectMapElement) SetKey ¶
func (skcnme *SocketConnectMapElement) SetKey(IPCIDR [8]byte)
func (*SocketConnectMapElement) SetValue ¶
func (skcnme *SocketConnectMapElement) SetValue(pidNSIDs [MAX_POLICY_VALUES]uint64)
func (*SocketConnectMapElement) ValuePointer ¶
func (skcnme *SocketConnectMapElement) ValuePointer() unsafe.Pointer
type SocketSendmsgMapElement ¶
type SocketSendmsgMapElement struct { Key [8]byte Value [MAX_POLICY_VALUES]uint64 }
func (*SocketSendmsgMapElement) KeyPointer ¶
func (sksmsgme *SocketSendmsgMapElement) KeyPointer() unsafe.Pointer
func (*SocketSendmsgMapElement) MapName ¶
func (sksmsgme *SocketSendmsgMapElement) MapName() string
func (*SocketSendmsgMapElement) SetFoundValue ¶
func (sksmsgme *SocketSendmsgMapElement) SetFoundValue(value []byte)
func (*SocketSendmsgMapElement) SetKey ¶
func (sksmsgme *SocketSendmsgMapElement) SetKey(IPCIDR [8]byte)
func (*SocketSendmsgMapElement) SetValue ¶
func (sksmsgme *SocketSendmsgMapElement) SetValue(pidNSIDs [MAX_POLICY_VALUES]uint64)
func (*SocketSendmsgMapElement) ValuePointer ¶
func (sksmsgme *SocketSendmsgMapElement) ValuePointer() unsafe.Pointer