modulepackage
0.6.0
Repository: https://github.com/seccomp/containers-golang.git
Documentation: pkg.go.dev
# README
containers-golang
containers-golang is a set of Go libraries used by container runtimes to generate and load seccomp mappings into the kernel.
seccomp (short for secure computing mode) is a BPF based syscall filter language and present a more conventional function-call based filtering interface that should be familiar to, and easily adopted by, application developers.
Building
make - Generates seccomp.json file, which contains the whitelisted syscalls that can be used by container runtime engines like CRI-O, Buildah, Podman and Docker, and container runtimes like OCI Runc to controll the syscalls available to containers.
Supported build tags
seccomp
Contributing
When developing this library, please use make (or make … BUILDTAGS=…) to take advantage of the tests and validation.
Contact
- IRC: #containers on freenode.net
# Functions
DefaultProfile returns a nil pointer on unsupported systems.
GetDefaultProfile returns an error on unsuppored systems.
GoArchToSeccompArch converts a runtime.GOARCH to a seccomp `Arch`.
IsEnabled returns true if seccomp is enabled for the host.
LoadProfile returns an error on unsuppored systems.
LoadProfileFromBytes takes a byte slice and decodes the seccomp profile.
LoadProfileFromConfig takes a Seccomp struct and a spec to retrieve a LinuxSeccomp.
# Constants
Define actions for Seccomp rules.
Define actions for Seccomp rules.
Define actions for Seccomp rules.
Define actions for Seccomp rules.
Define actions for Seccomp rules.
Additional architectures permitted to be used for system calls By default only the native architecture of the kernel is permitted.
Additional architectures permitted to be used for system calls By default only the native architecture of the kernel is permitted.
Additional architectures permitted to be used for system calls By default only the native architecture of the kernel is permitted.
Additional architectures permitted to be used for system calls By default only the native architecture of the kernel is permitted.
Additional architectures permitted to be used for system calls By default only the native architecture of the kernel is permitted.
Additional architectures permitted to be used for system calls By default only the native architecture of the kernel is permitted.
Additional architectures permitted to be used for system calls By default only the native architecture of the kernel is permitted.
Additional architectures permitted to be used for system calls By default only the native architecture of the kernel is permitted.
Additional architectures permitted to be used for system calls By default only the native architecture of the kernel is permitted.
Additional architectures permitted to be used for system calls By default only the native architecture of the kernel is permitted.
Additional architectures permitted to be used for system calls By default only the native architecture of the kernel is permitted.
Additional architectures permitted to be used for system calls By default only the native architecture of the kernel is permitted.
Additional architectures permitted to be used for system calls By default only the native architecture of the kernel is permitted.
Additional architectures permitted to be used for system calls By default only the native architecture of the kernel is permitted.
Additional architectures permitted to be used for system calls By default only the native architecture of the kernel is permitted.
Additional architectures permitted to be used for system calls By default only the native architecture of the kernel is permitted.
Define operators for syscall arguments in Seccomp.
Define operators for syscall arguments in Seccomp.
Define operators for syscall arguments in Seccomp.
Define operators for syscall arguments in Seccomp.
Define operators for syscall arguments in Seccomp.
Define operators for syscall arguments in Seccomp.
Define operators for syscall arguments in Seccomp.
# Structs
Architecture is used to represent a specific architecture and its sub-architectures.
Arg used for matching specific syscall arguments in Seccomp.
Filter is used to conditionally apply Seccomp rules.
Seccomp represents the config for a seccomp profile for syscall restriction.
Syscall is used to match a group of syscalls in Seccomp.