sandbox

package
v5.0.0+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 14, 2018 License: AGPL-3.0, Apache-2.0 Imports: 18 Imported by: 0

Documentation

Index

Constants

View Source
const (
	SECCOMP_RET_ALLOW = 0x7fff0000
	SECCOMP_RET_ERRNO = 0x00050000
)
View Source
const (
	EM_X86_64 = 62

	AUDIT_ARCH_X86_64 = EM_X86_64 | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE
)
View Source
const NATIVE_AUDIT_ARCH = AUDIT_ARCH_X86_64

Variables

View Source
var AllowedSyscalls = []SeccompSyscall{}/* 271 elements not displayed */

Functions

func CheckSupport

func CheckSupport() error

CheckSupport inspects the platform and environment to determine whether or not there are any expected issues with sandboxing. If nil is returned, sandboxing should be used.

func EnableSeccompFilter

func EnableSeccompFilter(filter []bpf.Instruction) error

func NewProcess

func NewProcess(ctx context.Context, config *Configuration, path string) (rpcplugin.Process, io.ReadWriteCloser, error)

NewProcess is like rpcplugin.NewProcess, but launches the process in a sandbox.

func SeccompFilter

func SeccompFilter(arch uint32, allowedSyscalls []SeccompSyscall) (filter []bpf.Instruction)

func SupervisorProvider

func SupervisorProvider(bundle *model.BundleInfo) (plugin.Supervisor, error)

Types

type Configuration

type Configuration struct {
	MountPoints      []*MountPoint
	WorkingDirectory string
}

type MountPoint

type MountPoint struct {
	Source      string
	Destination string
	Type        string
	ReadOnly    bool
}

type SeccompArgEquals

type SeccompArgEquals struct {
	Arg   int
	Value uint64
}

func (SeccompArgEquals) Filter

func (c SeccompArgEquals) Filter(littleEndian bool, skipFalseSentinel uint8) []bpf.Instruction

type SeccompArgHasAnyBit

type SeccompArgHasAnyBit struct {
	Arg  int
	Mask uint64
}

func (SeccompArgHasAnyBit) Filter

func (c SeccompArgHasAnyBit) Filter(littleEndian bool, skipFalseSentinel uint8) []bpf.Instruction

type SeccompArgHasNoBits

type SeccompArgHasNoBits struct {
	Arg  int
	Mask uint64
}

func (SeccompArgHasNoBits) Filter

func (c SeccompArgHasNoBits) Filter(littleEndian bool, skipFalseSentinel uint8) []bpf.Instruction

type SeccompCondition

type SeccompCondition interface {
	Filter(littleEndian bool, skipFalseSentinel uint8) []bpf.Instruction
}

type SeccompConditions

type SeccompConditions struct {
	All []SeccompCondition
}

type SeccompSyscall

type SeccompSyscall struct {
	Syscall uint32
	Any     []SeccompConditions
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL