gaol::platform::linux

Module seccomp

Source
Expand description

seccomp-bpf support on recent Linux kernels.

This works in tandem with namespace in order to implement sandbox profiles. It is generally the weaker of the two approaches, because BPF is limited, but it’s useful for reducing kernel attack surface area and implementing coarse-grained policies.

Structs§

Filter
sock_filter πŸ”’
sock_fprog πŸ”’

Constants§

ABS πŸ”’
ALLOW_SYSCALL πŸ”’
ARCH_NR πŸ”’
The architecture number for x86-64.
ARCH_NR_OFFSET πŸ”’
ARG_0_OFFSET πŸ”’
ARG_1_OFFSET πŸ”’
ARG_2_OFFSET πŸ”’
AUDIT_ARCH_AARCH64 πŸ”’
The architecture number for ARM 64-bit.
AUDIT_ARCH_ARM πŸ”’
The architecture number for ARM.
AUDIT_ARCH_PPC πŸ”’
The architecture number for ppc.
AUDIT_ARCH_PPC64 πŸ”’
The architecture number for ppc64.
AUDIT_ARCH_PPC64LE πŸ”’
The architecture number for ppc64le.
AUDIT_ARCH_X86 πŸ”’
The architecture number for x86.
AUDIT_ARCH_X86_64 πŸ”’
The architecture number for x86-64.
EM_386 πŸ”’
EM_AARCH64 πŸ”’
EM_ARM πŸ”’
EM_PPC πŸ”’
EM_PPC64 πŸ”’
EM_X86_64 πŸ”’
EXAMINE_ARG_0 πŸ”’
EXAMINE_ARG_1 πŸ”’
EXAMINE_ARG_2 πŸ”’
EXAMINE_SYSCALL πŸ”’
JEQ πŸ”’
JMP πŸ”’
JSET πŸ”’
K πŸ”’
KILL_PROCESS πŸ”’
LD πŸ”’
NETLINK_ROUTE πŸ”’
PR_SET_NO_NEW_PRIVS πŸ”’
PR_SET_SECCOMP πŸ”’
RET πŸ”’
SECCOMP_MODE_FILTER πŸ”’
SECCOMP_RET_ALLOW πŸ”’
SECCOMP_RET_KILL πŸ”’
SYSCALL_NR_OFFSET πŸ”’
VALIDATE_ARCHITECTURE_0 πŸ”’
VALIDATE_ARCHITECTURE_1 πŸ”’
VALIDATE_ARCHITECTURE_2 πŸ”’
W πŸ”’
__AUDIT_ARCH_64BIT πŸ”’
A flag set in the architecture number for all 64-bit architectures.
__AUDIT_ARCH_LE πŸ”’
A flag set in the architecture number for all little-endian architectures.

Statics§

ALLOWED_SYSCALLS
Syscalls that are always allowed.
ALLOWED_SYSCALLS_FOR_FILE_READ πŸ”’
ALLOWED_SYSCALLS_FOR_NETWORK_OUTBOUND πŸ”’
FILTER_EPILOGUE πŸ”’
FILTER_PROLOGUE πŸ”’