gvisor.dev/gvisor@v0.0.0-20240520182842-f9d4d51c7e0f/pkg/seccomp/precompiledseccomp/example/example.go (about) 1 // Copyright 2023 The gVisor Authors. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 // Package example defines two seccomp programs ("example_program1" and 16 // "example_program2") to be embedded in the `usage` package in this 17 // directory. 18 package example 19 20 import ( 21 "golang.org/x/sys/unix" 22 "gvisor.dev/gvisor/pkg/abi/linux" 23 "gvisor.dev/gvisor/pkg/seccomp" 24 "gvisor.dev/gvisor/pkg/seccomp/precompiledseccomp" 25 ) 26 27 // Variable names used in the precompiled programs. 28 // In this example, we have two file descriptors, which fit in 32 bits. 29 // If you need a 64-bit variable, simply declare two 32-bit variables and 30 // concatenate them to a single 64-bit number in the function that 31 // generates the `ProgramDesc`. 32 const ( 33 FD1 = "fd1" 34 FD2 = "fd2" 35 ) 36 37 // Name of the example programs. 38 const ( 39 // Program1Name is the name of the first example program. 40 // It allows reading from `FD1` and `FD2`, but writing only to `FD1`. 41 Program1Name = "example_program1" 42 43 // Program2Name is the name of the second example program. 44 // It allows reading from `FD1` and `FD2`, but writing only to `FD2`. 45 Program2Name = "example_program2" 46 ) 47 48 // Program1 returns a program that allows reading from FDs `FD1` and `FD2`, 49 // but writing only to FD `FD1`. 50 func Program1(values precompiledseccomp.Values) precompiledseccomp.ProgramDesc { 51 return precompiledseccomp.ProgramDesc{ 52 Rules: []seccomp.RuleSet{{ 53 Rules: seccomp.NewSyscallRules().Add( 54 unix.SYS_READ, 55 seccomp.Or{ 56 seccomp.PerArg{seccomp.EqualTo(values[FD1])}, 57 seccomp.PerArg{seccomp.EqualTo(values[FD2])}, 58 }, 59 ).Add( 60 unix.SYS_WRITE, 61 seccomp.PerArg{seccomp.EqualTo(values[FD1])}, 62 ), 63 Action: linux.SECCOMP_RET_ALLOW, 64 }}, 65 SeccompOptions: seccomp.DefaultProgramOptions(), 66 } 67 } 68 69 // Program2 returns a program that allows reading from FDs `FD1` and `FD2`, 70 // but writing only to FD `FD2`. 71 func Program2(values precompiledseccomp.Values) precompiledseccomp.ProgramDesc { 72 return precompiledseccomp.ProgramDesc{ 73 Rules: []seccomp.RuleSet{{ 74 Rules: seccomp.NewSyscallRules().Add( 75 unix.SYS_READ, 76 seccomp.Or{ 77 seccomp.PerArg{seccomp.EqualTo(values[FD1])}, 78 seccomp.PerArg{seccomp.EqualTo(values[FD2])}, 79 }, 80 ).Add( 81 unix.SYS_WRITE, 82 seccomp.PerArg{seccomp.EqualTo(values[FD2])}, 83 ), 84 Action: linux.SECCOMP_RET_ALLOW, 85 }}, 86 SeccompOptions: seccomp.DefaultProgramOptions(), 87 } 88 } 89 90 // PrecompiledPrograms defines the seccomp-bpf programs to precompile. 91 // This function is called by the generated `go_binary` rule. 92 func PrecompiledPrograms() ([]precompiledseccomp.Program, error) { 93 vars := []string{FD1, FD2} 94 example1, err := precompiledseccomp.Precompile(Program1Name, vars, Program1) 95 if err != nil { 96 return nil, err 97 } 98 example2, err := precompiledseccomp.Precompile(Program2Name, vars, Program2) 99 if err != nil { 100 return nil, err 101 } 102 return []precompiledseccomp.Program{example1, example2}, nil 103 }