entitlements

package
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 20, 2019 License: MPL-2.0 Imports: 6 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var Chown = Entitlement{
	Name: "chown",
	Syscalls: []string{
		"chown",
		"fchown",
		"fchownat",
		"lchown",
	},
}

Chown describes the ability to change ownership of files

View Source 
var Exec = Entitlement{
	Name: "exec",
	Syscalls: []string{
		"execve",
		"execveat",
		"fork",
		"vfork",
	},
}

Exec includes the exec, fork, and clone syscalls.

View Source 
var KernelIO = Entitlement{
	Name: "kernel_io",
	Syscalls: []string{
		"ioperm",
		"iopl",
	},
}

KernelIO includes system calls that modify kernel I/O privleges

View Source 
var KernelKeyring = Entitlement{
	Name: "kernel_keyring",
	Syscalls: []string{
		"add_key",
		"request_key",
		"keyctl",
	},
}

KernelKeyring includes the system calls needed for interacting with the kernel management facility

View Source 
var KernelMemory = Entitlement{
	Name: "kernel_memory",
	Syscalls: []string{
		"get_mempolicy",
		"set_mempolicy",
		"move_pages",
		"mbind",
	},
}

KernelMemory describes system calls that modify kernel memory and NUMA settings

View Source 
var LoadNewKernel = Entitlement{
	Name: "load_new_kernel",
	Syscalls: []string{
		"kexec_file_load",
		"kexec_load",
	},
}

LoadNewKernel includes the system calls used for loading a new kernel into memory

View Source 
var Modules = Entitlement{
	Name: "modules",
	Syscalls: []string{
		"create_module",
		"delete_module",
		"finit_module",
		"get_kernel_syms",
		"init_module",
		"query_module",
	},
}

Modules includes the system cals for creating, deleting, and interacting with kernel modules

View Source 
var Mount = Entitlement{
	Name: "mount",
	Syscalls: []string{
		"mount",
		"umount",
		"umount2",
	},
}

Mount describes the system calls for mounting and unmounting file systems

View Source 
var Namespaces = Entitlement{
	Name: "namespaces",
	Syscalls: []string{
		"unshare",
		"setns",
	},
}

Namespaces describes the system calls for changing the namespaces of a process

View Source 
var NetworkConnection = Entitlement{
	Name: "network_connection",
	Syscalls: []string{
		"socket",
		"getsockopt",
		"setsockopt",
		"getsockname",
		"socketpair",
		"socket",
		"socketcall",
		"bind",
		"listen",
	},
}

NetworkConnection describes the system calls needed for using any network functionality This includes creating and using sockets, and sending/receving messages over them

View Source 
var Reboot = Entitlement{
	Name: "reboot",
	Syscalls: []string{
		"reboot",
	},
}

Reboot contains the system call for allowing a program to restart the system

View Source 
var ResourceQuota = Entitlement{
	Name: "resource_quota",
	Syscalls: []string{
		"quotactl",
	},
}

ResourceQuota contains the system call for interacting with the per-user, per-group, and per-project disk quota

View Source 
var RootFS = Entitlement{
	Name: "rootfs",
	Syscalls: []string{
		"pivot_root",
	},
}

RootFS describes the system call for modifying the root filesystem

View Source 
var SetTime = Entitlement{
	Name: "set_time",
	Syscalls: []string{
		"ntp_adjtime",
		"adjtimex",
		"clock_adjtime",
		"clock_settime",
		"settimeofday",
		"stime",
	},
}

SetTime describes the system calls for dealing with the systems clock

View Source 
var SpecialFiles = Entitlement{
	Name: "special_files",
	Syscalls: []string{
		"mknod",
	},
}

SpecialFiles describes the creation of FIFOs and special files

View Source 
var SwapMemory = Entitlement{
	Name: "swap_memory",
	Syscalls: []string{
		"swapon",
		"swapoff",
	},
}

SwapMemory describes system calls for

View Source 
var Tracing = Entitlement{
	Name: "tracing",
	Syscalls: []string{
		"acct",
		"ptrace",
		"lookup_dcookie",
		"bpf",
		"perf_event_open",
		"process_vm_readv",
		"process_vm_writev",
	},
}

Tracing describes the system calls for dealing with the tracing facilities of the kernel - this includes ptrace and bpf

Functions

func ApplyEntitlements 

func ApplyEntitlements(entitlements []Entitlement) error

ApplyEntitlements will allow the syscalls described by the entitlements that are passed.

func CreateOCIProfileFromEntitlements 

func CreateOCIProfileFromEntitlements(entitlements []Entitlement) spec.LinuxSeccomp

CreateProfileFromEntitlements allows you to pass a set of entitlements and to create an OCI compliant seccomp profile. That profile can be marshalled to JSON and passed to OCI container runtimes such as docker, or podman

func ListEntitlements 

func ListEntitlements() []string

ListEntitlements returns the list of default entitlements

func ValidEntitlement 

func ValidEntitlement(entitlementName string) bool

Types

type Entitlement 

type Entitlement struct {
	Name     string   `toml:"Name,omitempty"`
	Syscalls []string `toml:"Syscalls,omitempty"`
}

Entitlement represents a grouping of system call rules

func GetEntitlementsFromNames 

func GetEntitlementsFromNames(entitlementNames []string) ([]Entitlement, error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.