seccomp

package

v0.0.0-...-4dd7a9f Latest Latest Go to latest Published: May 27, 2020 License: MIT Imports: 18 Imported by: 1

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/pjbgf/zaz

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
type BruteForceRunner
type BruteForceSource
- func NewBruteForceSource(runner BruteForceRunner) *BruteForceSource
- func (s *BruteForceSource) GetSystemCalls() (*specs.LinuxSyscall, error)
type DockerRunner
- func NewDockerRunner(img, cmd string) (*DockerRunner, error)
- func (r *DockerRunner) RunWithSeccomp(profile *specs.LinuxSeccomp) (err error)
type Error
- func (e Error) Error() string
type ProfileTemplate
type ProfileVerifier
- func NewProfileVerifier(profileReader io.Reader) *ProfileVerifier
- func (v *ProfileVerifier) Run() ([]Warning, error)
type Seccomp
- func NewSeccomp(syscallsSource SyscallsSource) *Seccomp
- func (s *Seccomp) GetProfile() (*specs.LinuxSeccomp, error)
type SyscallsFromGo
- func NewSyscallsFromGo(filePath string) *SyscallsFromGo
- func (s *SyscallsFromGo) GetSystemCalls() (*specs.LinuxSyscall, error)
type SyscallsFromLog
- func NewSyscallsFromLog(reader io.Reader, processID int) *SyscallsFromLog
- func (s *SyscallsFromLog) GetSystemCalls() (*specs.LinuxSyscall, error)
type SyscallsFromTemplate
- func NewSyscallsFromTemplate(name ProfileTemplate) *SyscallsFromTemplate
- func (s *SyscallsFromTemplate) GetSystemCalls() (*specs.LinuxSyscall, error)
type SyscallsSource
type Warning

Constants ¶

View Source

const ErrCannotFetchContainerStatus = Error("error trying to fetch container status")

ErrCannotFetchContainerStatus is returned when a container cannot have its status verified.

View Source

const ErrContainerExecutionFailure = Error("error running container")

ErrContainerExecutionFailure is returned when a container execution fails.

View Source

const ErrContainerExecutionTimeout = Error("container execution timed-out")

ErrContainerExecutionTimeout is returned when a container execution times out.

View Source

const ErrHighRiskSyscallAllowed = Error("profile allows high-risk system calls")

ErrHighRiskSyscallAllowed is returned when a profile allows high-risk system calls.

View Source

const ErrImageCouldNotBePulled = Error("image could not be pulled")

ErrImageCouldNotBePulled is returned when the image is not found locally and cannot be downloaded from an external container registry.

View Source

const ErrInvalidProfile = Error("profile content is invalid")

ErrInvalidProfile is returned when an invalid seccomp profile is provided.

View Source

const ErrInvalidSyntax = Error("invalid syntax")

ErrInvalidSyntax is returned when an invalid syntax is used.

View Source

const ErrInvalidTemplateName = Error("invalid template name")

ErrInvalidTemplateName is returned when a invalid template name is used.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type BruteForceRunner ¶

type BruteForceRunner interface {
	RunWithSeccomp(profile *specs.LinuxSeccomp) error
}

BruteForceRunner defines the interface for brute force runners.

type BruteForceSource ¶

type BruteForceSource struct {
	// contains filtered or unexported fields
}

BruteForceSource represents a system calls source based on a brute force approach.

func NewBruteForceSource ¶

func NewBruteForceSource(runner BruteForceRunner) *BruteForceSource

NewBruteForceSource initialises BruteForceSource.

func (*BruteForceSource) GetSystemCalls ¶

func (s *BruteForceSource) GetSystemCalls() (*specs.LinuxSyscall, error)

GetSystemCalls returns all system calls found by brute forcing the profile using a runner.

type DockerRunner ¶

type DockerRunner struct {
	Image   string
	Command string
}

DockerRunner represents a runner for docker.

func NewDockerRunner ¶

func NewDockerRunner(img, cmd string) (*DockerRunner, error)

NewDockerRunner initialises DockerRunner.

func (*DockerRunner) RunWithSeccomp ¶

func (r *DockerRunner) RunWithSeccomp(profile *specs.LinuxSeccomp) (err error)

RunWithSeccomp creates a container and runs the defined command.

type Error ¶

type Error string

Error defines an error type that can be used as constant.

func (Error) Error ¶

func (e Error) Error() string

Error returns the error message.

type ProfileTemplate ¶

type ProfileTemplate string

ProfileTemplate represents a type for seccomp templates.

const (
	// WebTemplate represents a seccomp profile for web applications.
	WebTemplate ProfileTemplate = "web"
)

type ProfileVerifier ¶

type ProfileVerifier struct {
	// contains filtered or unexported fields
}

ProfileVerifier holds the logic for validating seccomp profiles.

func NewProfileVerifier ¶

func NewProfileVerifier(profileReader io.Reader) *ProfileVerifier

NewProfileVerifier initialises and returns a new ProfileVerifier.

func (*ProfileVerifier) Run ¶

func (v *ProfileVerifier) Run() ([]Warning, error)

Run executes a seccomp profile validation, returning an error and a list of Warning with the high-risk system calls found.

type Seccomp ¶

type Seccomp struct {
	NilProfileForNoCalls bool
	// contains filtered or unexported fields
}

Seccomp represents the seccomp profile generation functionatily.

func NewSeccomp ¶

func NewSeccomp(syscallsSource SyscallsSource) *Seccomp

NewSeccomp initialises a new Seccomp.

func (*Seccomp) GetProfile ¶

func (s *Seccomp) GetProfile() (*specs.LinuxSeccomp, error)

GetProfile returns a seccomp profile based on the source defined.

type SyscallsFromGo ¶

type SyscallsFromGo struct {
	// contains filtered or unexported fields
}

SyscallsFromGo represents a syscalls source from go executables.

func NewSyscallsFromGo ¶

func NewSyscallsFromGo(filePath string) *SyscallsFromGo

NewSyscallsFromGo initialises and returns a new SyscallsFromGo

func (*SyscallsFromGo) GetSystemCalls ¶

func (s *SyscallsFromGo) GetSystemCalls() (*specs.LinuxSyscall, error)

GetSystemCalls returns all system calls found in the go executable specified at filePath.

type SyscallsFromLog ¶

type SyscallsFromLog struct {
	// contains filtered or unexported fields
}

SyscallsFromLog represents a syscalls source from syslog files.

func NewSyscallsFromLog ¶

func NewSyscallsFromLog(reader io.Reader, processID int) *SyscallsFromLog

NewSyscallsFromLog initialises and returns a new SyscallsFromLog

func (*SyscallsFromLog) GetSystemCalls ¶

func (s *SyscallsFromLog) GetSystemCalls() (*specs.LinuxSyscall, error)

GetSystemCalls returns all system calls found in the syslog for a given processID.

type SyscallsFromTemplate ¶

type SyscallsFromTemplate struct {
	// contains filtered or unexported fields
}

SyscallsFromTemplate represents a template with pre-defined syscalls.

func NewSyscallsFromTemplate ¶

func NewSyscallsFromTemplate(name ProfileTemplate) *SyscallsFromTemplate

NewSyscallsFromTemplate initialises and returns a new SyscallsFromTemplate

func (*SyscallsFromTemplate) GetSystemCalls ¶

func (s *SyscallsFromTemplate) GetSystemCalls() (*specs.LinuxSyscall, error)

GetSystemCalls returns all system calls from a pre-defined template.

type SyscallsSource ¶

type SyscallsSource interface {
	GetSystemCalls() (*specs.LinuxSyscall, error)
}

SyscallsSource defines the interface for syscalls sources.

type Warning ¶

type Warning struct {
	SyscallName string
}

Warning represents a warning about a system call.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL