seccomp

package

v0.0.0-...-5cb08d9 Latest Latest Go to latest Published: Apr 26, 2024 License: GPL-3.0 Imports: 19 Imported by: 46

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/snapcore/snapd

Links

Open Source Insights

Documentation ¶

Overview ¶

Package seccomp implements integration between snapd and snap-confine around seccomp.

Snappy creates so-called seccomp profiles for each application (for each snap) present in the system. Upon each execution of snap-confine, the profile is read and "compiled" to an eBPF program and injected into the kernel for the duration of the execution of the process.

There is no binary cache for seccomp, each time the launcher starts an application the profile is parsed and re-compiled.

The actual profiles are stored in /var/lib/snappy/seccomp/bpf/*.{src,bin}. This directory is hard-coded in snap-confine.

Index ¶

func MockSnapSeccompVersionInfo(versionInfo string) (restore func())
type Backend
type Compiler
type Specification
- func NewSpecification(appSet *interfaces.SnapAppSet) *Specification

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func MockSnapSeccompVersionInfo ¶

func MockSnapSeccompVersionInfo(versionInfo string) (restore func())

MockSnapSeccompVersionInfo is for use in tests only.

Types ¶

type Backend ¶

type Backend struct {
	// contains filtered or unexported fields
}

Backend is responsible for maintaining seccomp profiles for snap-confine.

func (*Backend) Initialize ¶

func (b *Backend) Initialize(*interfaces.SecurityBackendOptions) error

Initialize ensures that the global profile is on disk and interrogates libseccomp wrapper to generate a version string that will be used to determine if we need to recompile seccomp policy due to system changes outside of snapd.

func (*Backend) Name ¶

func (b *Backend) Name() interfaces.SecuritySystem

Name returns the name of the backend.

func (*Backend) NewSpecification ¶

func (b *Backend) NewSpecification(appSet *interfaces.SnapAppSet) interfaces.Specification

NewSpecification returns an empty seccomp specification.

func (*Backend) Remove ¶

func (b *Backend) Remove(snapName string) error

Remove removes seccomp profiles of a given snap.

func (*Backend) SandboxFeatures ¶

func (b *Backend) SandboxFeatures() []string

SandboxFeatures returns the list of seccomp features supported by the kernel and userspace.

func (*Backend) Setup ¶

func (b *Backend) Setup(appSet *interfaces.SnapAppSet, opts interfaces.ConfinementOptions, repo *interfaces.Repository, tm timings.Measurer) error

Setup creates seccomp profiles specific to a given snap. The snap can be in developer mode to make security violations non-fatal to the offending application process.

This method should be called after changing plug, slots, connections between them or application present in the snap.

type Compiler ¶

type Compiler interface {
	Compile(in, out string) error
	VersionInfo() (seccomp.VersionInfo, error)
}

type Specification ¶

type Specification struct {
	// contains filtered or unexported fields
}

Specification keeps all the seccomp snippets.

func NewSpecification ¶

func NewSpecification(appSet *interfaces.SnapAppSet) *Specification

func (*Specification) AddConnectedPlug ¶

func (spec *Specification) AddConnectedPlug(iface interfaces.Interface, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error

AddConnectedPlug records seccomp-specific side-effects of having a connected plug.

func (*Specification) AddConnectedSlot ¶

func (spec *Specification) AddConnectedSlot(iface interfaces.Interface, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error

AddConnectedSlot records seccomp-specific side-effects of having a connected slot.

func (*Specification) AddPermanentPlug ¶

func (spec *Specification) AddPermanentPlug(iface interfaces.Interface, plug *snap.PlugInfo) error

AddPermanentPlug records seccomp-specific side-effects of having a plug.

func (*Specification) AddPermanentSlot ¶

func (spec *Specification) AddPermanentSlot(iface interfaces.Interface, slot *snap.SlotInfo) error

AddPermanentSlot records seccomp-specific side-effects of having a slot.

func (*Specification) AddSnippet ¶

func (spec *Specification) AddSnippet(snippet string)

AddSnippet adds a new seccomp snippet.

func (*Specification) SecurityTags ¶

func (spec *Specification) SecurityTags() []string

SecurityTags returns a list of security tags which have a snippet.

func (*Specification) SnapAppSet ¶

func (spec *Specification) SnapAppSet() *interfaces.SnapAppSet

func (*Specification) SnippetForTag ¶

func (spec *Specification) SnippetForTag(tag string) string

SnippetForTag returns a combined snippet for given security tag with individual snippets joined with newline character. Empty string is returned for non-existing security tag.

func (*Specification) Snippets ¶

func (spec *Specification) Snippets() map[string][]string

Snippets returns a deep copy of all the added snippets.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL