3 // Seccomp represents the config for a seccomp profile for syscall restriction.
5 DefaultAction Action `json:"defaultAction"`
6 // Architectures is kept to maintain backward compatibility with the old
8 Architectures []Arch `json:"architectures,omitempty"`
9 ArchMap []Architecture `json:"archMap,omitempty"`
10 Syscalls []*Syscall `json:"syscalls"`
13 // Architecture is used to represent a specific architecture
14 // and its sub-architectures
15 type Architecture struct {
16 Arch Arch `json:"architecture"`
17 SubArches []Arch `json:"subArchitectures"`
20 // Arch used for architectures
23 // Additional architectures permitted to be used for system calls
24 // By default only the native architecture of the kernel is permitted
26 ArchX86 Arch = "SCMP_ARCH_X86"
27 ArchX86_64 Arch = "SCMP_ARCH_X86_64"
28 ArchX32 Arch = "SCMP_ARCH_X32"
29 ArchARM Arch = "SCMP_ARCH_ARM"
30 ArchAARCH64 Arch = "SCMP_ARCH_AARCH64"
31 ArchMIPS Arch = "SCMP_ARCH_MIPS"
32 ArchMIPS64 Arch = "SCMP_ARCH_MIPS64"
33 ArchMIPS64N32 Arch = "SCMP_ARCH_MIPS64N32"
34 ArchMIPSEL Arch = "SCMP_ARCH_MIPSEL"
35 ArchMIPSEL64 Arch = "SCMP_ARCH_MIPSEL64"
36 ArchMIPSEL64N32 Arch = "SCMP_ARCH_MIPSEL64N32"
37 ArchPPC Arch = "SCMP_ARCH_PPC"
38 ArchPPC64 Arch = "SCMP_ARCH_PPC64"
39 ArchPPC64LE Arch = "SCMP_ARCH_PPC64LE"
40 ArchS390 Arch = "SCMP_ARCH_S390"
41 ArchS390X Arch = "SCMP_ARCH_S390X"
44 // Action taken upon Seccomp rule match
47 // Define actions for Seccomp rules
49 ActKill Action = "SCMP_ACT_KILL"
50 ActTrap Action = "SCMP_ACT_TRAP"
51 ActErrno Action = "SCMP_ACT_ERRNO"
52 ActTrace Action = "SCMP_ACT_TRACE"
53 ActAllow Action = "SCMP_ACT_ALLOW"
56 // Operator used to match syscall arguments in Seccomp
59 // Define operators for syscall arguments in Seccomp
61 OpNotEqual Operator = "SCMP_CMP_NE"
62 OpLessThan Operator = "SCMP_CMP_LT"
63 OpLessEqual Operator = "SCMP_CMP_LE"
64 OpEqualTo Operator = "SCMP_CMP_EQ"
65 OpGreaterEqual Operator = "SCMP_CMP_GE"
66 OpGreaterThan Operator = "SCMP_CMP_GT"
67 OpMaskedEqual Operator = "SCMP_CMP_MASKED_EQ"
70 // Arg used for matching specific syscall arguments in Seccomp
72 Index uint `json:"index"`
73 Value uint64 `json:"value"`
74 ValueTwo uint64 `json:"valueTwo"`
75 Op Operator `json:"op"`
78 // Filter is used to conditionally apply Seccomp rules
80 Caps []string `json:"caps,omitempty"`
81 Arches []string `json:"arches,omitempty"`
84 // Syscall is used to match a group of syscalls in Seccomp
86 Name string `json:"name,omitempty"`
87 Names []string `json:"names,omitempty"`
88 Action Action `json:"action"`
89 Args []*Arg `json:"args"`
90 Comment string `json:"comment"`
91 Includes Filter `json:"includes"`
92 Excludes Filter `json:"excludes"`