github.com/zhuohuang-hust/src-cbuild@v0.0.0-20230105071821-c7aab3e7c840/api/types/seccomp.go (about)

     1  package types
     2  
     3  // Seccomp represents the config for a seccomp profile for syscall restriction.
     4  type Seccomp struct {
     5  	DefaultAction Action `json:"defaultAction"`
     6  	// Architectures is kept to maintain backward compatibility with the old
     7  	// seccomp profile.
     8  	Architectures []Arch         `json:"architectures,omitempty"`
     9  	ArchMap       []Architecture `json:"archMap,omitempty"`
    10  	Syscalls      []*Syscall     `json:"syscalls"`
    11  }
    12  
    13  // Architecture is used to represent an specific architecture
    14  // and its sub-architectures
    15  type Architecture struct {
    16  	Arch      Arch   `json:"architecture"`
    17  	SubArches []Arch `json:"subArchitectures"`
    18  }
    19  
    20  // Arch used for architectures
    21  type Arch string
    22  
    23  // Additional architectures permitted to be used for system calls
    24  // By default only the native architecture of the kernel is permitted
    25  const (
    26  	ArchX86         Arch = "SCMP_ARCH_X86"
    27  	ArchX86_64      Arch = "SCMP_ARCH_X86_64"
    28  	ArchX32         Arch = "SCMP_ARCH_X32"
    29  	ArchARM         Arch = "SCMP_ARCH_ARM"
    30  	ArchAARCH64     Arch = "SCMP_ARCH_AARCH64"
    31  	ArchMIPS        Arch = "SCMP_ARCH_MIPS"
    32  	ArchMIPS64      Arch = "SCMP_ARCH_MIPS64"
    33  	ArchMIPS64N32   Arch = "SCMP_ARCH_MIPS64N32"
    34  	ArchMIPSEL      Arch = "SCMP_ARCH_MIPSEL"
    35  	ArchMIPSEL64    Arch = "SCMP_ARCH_MIPSEL64"
    36  	ArchMIPSEL64N32 Arch = "SCMP_ARCH_MIPSEL64N32"
    37  	ArchPPC         Arch = "SCMP_ARCH_PPC"
    38  	ArchPPC64       Arch = "SCMP_ARCH_PPC64"
    39  	ArchPPC64LE     Arch = "SCMP_ARCH_PPC64LE"
    40  	ArchS390        Arch = "SCMP_ARCH_S390"
    41  	ArchS390X       Arch = "SCMP_ARCH_S390X"
    42  )
    43  
    44  // Action taken upon Seccomp rule match
    45  type Action string
    46  
    47  // Define actions for Seccomp rules
    48  const (
    49  	ActKill  Action = "SCMP_ACT_KILL"
    50  	ActTrap  Action = "SCMP_ACT_TRAP"
    51  	ActErrno Action = "SCMP_ACT_ERRNO"
    52  	ActTrace Action = "SCMP_ACT_TRACE"
    53  	ActAllow Action = "SCMP_ACT_ALLOW"
    54  )
    55  
    56  // Operator used to match syscall arguments in Seccomp
    57  type Operator string
    58  
    59  // Define operators for syscall arguments in Seccomp
    60  const (
    61  	OpNotEqual     Operator = "SCMP_CMP_NE"
    62  	OpLessThan     Operator = "SCMP_CMP_LT"
    63  	OpLessEqual    Operator = "SCMP_CMP_LE"
    64  	OpEqualTo      Operator = "SCMP_CMP_EQ"
    65  	OpGreaterEqual Operator = "SCMP_CMP_GE"
    66  	OpGreaterThan  Operator = "SCMP_CMP_GT"
    67  	OpMaskedEqual  Operator = "SCMP_CMP_MASKED_EQ"
    68  )
    69  
    70  // Arg used for matching specific syscall arguments in Seccomp
    71  type Arg struct {
    72  	Index    uint     `json:"index"`
    73  	Value    uint64   `json:"value"`
    74  	ValueTwo uint64   `json:"valueTwo"`
    75  	Op       Operator `json:"op"`
    76  }
    77  
    78  // Filter is used to conditionally apply Seccomp rules
    79  type Filter struct {
    80  	Caps   []string `json:"caps,omitempty"`
    81  	Arches []string `json:"arches,omitempty"`
    82  }
    83  
    84  // Syscall is used to match a group of syscalls in Seccomp
    85  type Syscall struct {
    86  	Name     string   `json:"name,omitempty"`
    87  	Names    []string `json:"names,omitempty"`
    88  	Action   Action   `json:"action"`
    89  	Args     []*Arg   `json:"args"`
    90  	Comment  string   `json:"comment"`
    91  	Includes Filter   `json:"includes"`
    92  	Excludes Filter   `json:"excludes"`
    93  }