module Crysco::Security::Seccomp
Overview
An incomplete, thin wrapper for libseccomp
Defined in:
security/seccomp.crConstant Summary
-
EPERM =
1_u16
-
SCMP_ACT_ALLOW =
2147418112_u32
-
TODO move to Libseccomp bindings/enums? copied out of various C headers
-
SCMP_ACT_ERRNO_EPERM =
(327680_u32 | (EPERM & 65535_u32))
-
SEC_SCMP_FAIL =
(327680_u32 | ((1) & 65535_u32))
Class Method Summary
-
.block_syscalls
Block sensitive system calls, based on Barco's list, which is in turn based on Docker's list.
- .with_context(default_action : UInt32, &) : Nil
Macro Summary
Class Method Detail
def self.block_syscalls
#
Block sensitive system calls, based on Barco's list, which is in turn based on Docker's list. Docker blocks all system calls by default and then individually allows a (very large) list of calls, but we're doing the opposite here for ease of implementation (I guess?)
- https://github.com/lucavallin/barco/blob/4300a67b38c7f2b158ec0cb221e1f3396ab65d1e/src/sec.c
- the Docker implementation is spread over like 4 repositories, but my rabbit hole started here: https://github.com/moby/moby/issues/42441