seccomp

package
v0.0.0-...-9474aff Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 28, 2022 License: BSD-3-Clause Imports: 9 Imported by: 0

Documentation

Overview

Package seccomp leverages integration tests for generating Minijail seccomp policies.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CommandContext 

func CommandContext(ctx context.Context, logPath, name string, arg ...string) *testexec.Cmd

CommandContext wraps the functionality of testexec.CommandContext injecting the strace command and arguments writing the strace log to the specified path.

Types

type Filter 

type Filter int

Filter is an enum for conveying whether or not the target process performs Minijail sandboxing for the purpose of ignoring syscalls before the sandbox has been entered. 

const (
	IncludeAllSyscalls Filter = iota
	ExcludeSyscallsBeforeSandboxing
)

See the comment on type Filter.

type PolicyGenerator 

type PolicyGenerator struct {
	// contains filtered or unexported fields
}

PolicyGenerator keeps track of what syscalls have been observed as well as values of a subset of arguments for the purpose of generating a Minijail seccomp policy.

It is a reimplementation of https://chromium.googlesource.com/aosp/platform/external/minijail/+/HEAD/tools/generate_seccomp_policy.py with the goal of not making python a dependency of tast.

func NewPolicyGenerator 

func NewPolicyGenerator() *PolicyGenerator

NewPolicyGenerator creates an initialized value of PolicyGenerator with sensitive syscalls marked so they can be filtered by arguments.

func (*PolicyGenerator) AddStraceLog 

func (m *PolicyGenerator) AddStraceLog(logFile string, filter Filter) (rerr error)

AddStraceLog reads the result from the strace log and applies it to the Minijail policy generator.

func (*PolicyGenerator) AddSyscall 

func (m *PolicyGenerator) AddSyscall(syscall, params string) bool

AddSyscall records a particular syscall in the frequency data. For sensitive system calls params will be parsed so an argument filter can be computed.

func (*PolicyGenerator) GeneratePolicy 

func (m *PolicyGenerator) GeneratePolicy() string

GeneratePolicy returns the Minijail policy that results from the system call frequency data in decreasing order of occurrence. Ties are sorted in alphabetical order.

func (*PolicyGenerator) LookupSyscall 

func (m *PolicyGenerator) LookupSyscall(syscall string) (int, string)

LookupSyscall gets the frequency count and seccomp policy rule for a system call. If the system call isn't found in the frequency data, {0, ""} is returned.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.
JackTT - Gopher 🇻🇳