module Crysco::Security::Seccomp

Overview

An incomplete, thin wrapper for libseccomp

Defined in:

security/seccomp.cr

Constant Summary

EPERM = 1_u16
SCMP_ACT_ALLOW = 2147418112_u32

TODO move to Libseccomp bindings/enums? copied out of various C headers

SCMP_ACT_ERRNO_EPERM = (327680_u32 | (EPERM & 65535_u32))
SEC_SCMP_FAIL = (327680_u32 | ((1) & 65535_u32))

Class Method Summary

Macro Summary

Class Method Detail

def self.block_syscalls #

Block sensitive system calls, based on Barco's list, which is in turn based on Docker's list. Docker blocks all system calls by default and then individually allows a (very large) list of calls, but we're doing the opposite here for ease of implementation (I guess?)

  • https://github.com/lucavallin/barco/blob/4300a67b38c7f2b158ec0cb221e1f3396ab65d1e/src/sec.c
  • the Docker implementation is spread over like 4 repositories, but my rabbit hole started here: https://github.com/moby/moby/issues/42441

[View source]
def self.with_context(default_action : UInt32, &) : Nil #

[View source]

Macro Detail

macro syscall_num(name) #

[View source]