BuildProgram builds a BPF program from the given map of actions to matching SyscallRules.

Install generates BPF code based on the set of syscalls provided.

MakeSyscallRules returns a new SyscallRules with the given set of rules.

MaskedEqual specifies a value that matches the input after the input is masked (bitwise &) against the given mask.

NewSyscallRules returns a new SyscallRules.

NonNegativeFDCheck ensures an FD argument is a non-negative int.

SetFilter installs the given BPF program.

SetFilterInChild is equivalent to SetFilter, but: - It is safe to call after runtime.syscall_runtime_AfterForkInChild.

RuleIP indicates what rules in the Rule array have to be applied to instruction pointer.

DenyNewExecMappings is a set of rules that denies creating new executable mappings and converting existing ones.

SyscallName gives names to system calls.

AnyValue is marker to indicate any value will be accepted.

BuildStats contains information about seccomp program generation.

MatchAll implements `SyscallRule` and matches everything.

RuleSet is a set of rules and associated action.

SyscallRules maps syscall numbers to their corresponding rules.

SyscallRule expresses a set of rules to verify the arguments of a specific syscall.

EqualTo specifies a value that needs to be strictly matched.

GreaterThan specifies a value that needs to be strictly smaller.

GreaterThanOrEqual specifies a value that needs to be smaller or equal.

LessThan specifies a value that needs to be strictly greater.

LessThanOrEqual specifies a value that needs to be greater or equal.

NotEqual specifies a value that is strictly not equal.

Or expresses an "OR" (a disjunction) over a set of `SyscallRule`s.

PerArg implements SyscallRule and verifies the syscall arguments and RIP.