lxd: github.com/lxc/lxd/lxd/seccomp Index | Files

package seccomp

import "github.com/lxc/lxd/lxd/seccomp"


Package Files

cgo.go seccomp.go seccomp_empty.go

func CallForkmknod Uses

func CallForkmknod(c Instance, dev deviceConfig.Device, requestPID int, s *state.State) int

CallForkmknod executes fork mknod.

func CreateProfile Uses

func CreateProfile(s *state.State, c Instance) error

CreateProfile creates a seccomp profile.

func DeleteProfile Uses

func DeleteProfile(c Instance)

DeleteProfile removes a seccomp profile.

func InstanceNeedsIntercept Uses

func InstanceNeedsIntercept(s *state.State, c Instance) (bool, error)

InstanceNeedsIntercept returns whether instance needs intercept.

func InstanceNeedsPolicy Uses

func InstanceNeedsPolicy(c Instance) bool

InstanceNeedsPolicy returns whether the instance needs a policy or not.

func MountSyscallFilter Uses

func MountSyscallFilter(config map[string]string) []string

MountSyscallFilter creates a mount syscall filter from the config.

func ProfilePath Uses

func ProfilePath(c Instance) string

ProfilePath returns the seccomp path for the instance.

func SyscallInterceptMountFilter Uses

func SyscallInterceptMountFilter(config map[string]string) (map[string]string, error)

SyscallInterceptMountFilter creates a new mount syscall interception filter

func TaskIDs Uses

func TaskIDs(pid int) (int64, int64, int64, int64, error)

TaskIDs returns the task IDs for a process.

type Instance Uses

type Instance interface {
    Name() string
    Project() string
    ExpandedConfig() map[string]string
    IsPrivileged() bool
    Architecture() int
    RootfsPath() string
    CurrentIdmap() (*idmap.IdmapSet, error)
    DiskIdmap() (*idmap.IdmapSet, error)
    InsertSeccompUnixDevice(prefix string, m deviceConfig.Device, pid int) error

Instance is a seccomp specific instance interface. This is used rather than instance.Instance to avoid import loops.

type Iovec Uses

type Iovec struct {
    // contains filtered or unexported fields

Iovec defines an iovec to move data between kernel and userspace.

func NewSeccompIovec Uses

func NewSeccompIovec(ucred *unix.Ucred) *Iovec

NewSeccompIovec creates a new seccomp iovec.

func (*Iovec) IsValidSeccompIovec Uses

func (siov *Iovec) IsValidSeccompIovec(size uint64) bool

IsValidSeccompIovec checks whether a seccomp iovec is valid.

func (*Iovec) PutSeccompIovec Uses

func (siov *Iovec) PutSeccompIovec()

PutSeccompIovec puts a seccomp iovec.

func (*Iovec) ReceiveSeccompIovec Uses

func (siov *Iovec) ReceiveSeccompIovec(fd int) (uint64, error)

ReceiveSeccompIovec receives a seccomp iovec.

func (*Iovec) SendSeccompIovec Uses

func (siov *Iovec) SendSeccompIovec(fd int, errno int, flags uint32) error

SendSeccompIovec sends seccomp iovec.

type MknodArgs Uses

type MknodArgs struct {
    // contains filtered or unexported fields

MknodArgs arguments for mknod.

type MountArgs Uses

type MountArgs struct {
    // contains filtered or unexported fields

MountArgs arguments for mount.

type Server Uses

type Server struct {
    // contains filtered or unexported fields

Server defines a seccomp server.

func NewSeccompServer Uses

func NewSeccompServer(s *state.State, path string, findPID func(pid int32, state *state.State) (Instance, error)) (*Server, error)

NewSeccompServer creates a new seccomp server.

func (*Server) HandleInvalid Uses

func (s *Server) HandleInvalid(fd int, siov *Iovec)

HandleInvalid sends a dummy message to LXC. LXC will notice the short write and send a default message to the kernel thereby avoiding a 30s hang.

func (*Server) HandleMknodSyscall Uses

func (s *Server) HandleMknodSyscall(c Instance, siov *Iovec) int

HandleMknodSyscall handles a mknod syscall.

func (*Server) HandleMknodatSyscall Uses

func (s *Server) HandleMknodatSyscall(c Instance, siov *Iovec) int

HandleMknodatSyscall handles a mknodat syscall.

func (*Server) HandleMountSyscall Uses

func (s *Server) HandleMountSyscall(c Instance, siov *Iovec) int

HandleMountSyscall handles mount syscalls.

func (*Server) HandleSetxattrSyscall Uses

func (s *Server) HandleSetxattrSyscall(c Instance, siov *Iovec) int

HandleSetxattrSyscall handles setxattr syscalls.

func (*Server) HandleValid Uses

func (s *Server) HandleValid(fd int, siov *Iovec, findPID func(pid int32, state *state.State) (Instance, error)) error

HandleValid handles a valid seccomp notifier message.

func (*Server) MountSyscallShift Uses

func (s *Server) MountSyscallShift(c Instance) bool

MountSyscallShift checks whether this mount syscall needs shiftfs.

func (*Server) MountSyscallValid Uses

func (s *Server) MountSyscallValid(c Instance, args *MountArgs) (bool, string)

MountSyscallValid checks whether this is a mount syscall we intercept.

func (*Server) Stop Uses

func (s *Server) Stop() error

Stop stops a seccomp server.

type SetxattrArgs Uses

type SetxattrArgs struct {
    // contains filtered or unexported fields

SetxattrArgs arguments for setxattr.

Package seccomp imports 24 packages (graph) and is imported by 9 packages. Updated 2020-07-07. Refresh now. Tools for package owners.