kawipiko/sources/lib/seccomp/supported.go



//go:build linux && amd64 && seccomp


package seccomp


import "fmt"
import "syscall"


import "github.com/seccomp/libseccomp-golang"


func init () {
	
	Supported = true
	
	if false {
		
		_filter, _error := seccomp.NewFilter (seccomp.ActLog)
		if _error != nil {
			panic (_error)
		}
		
		if _error = _filter.Load (); _error != nil {
			panic (_error)
		}
	}
}


func AllowOnlySyscalls (_syscalls []string) (error) {
	
	_architectures := []seccomp.ScmpArch {
			seccomp.ArchNative,
			seccomp.ArchX86,
			seccomp.ArchX32,
			seccomp.ArchAMD64,
		}
	
	_fallbackAction := seccomp.ActKill
	switch 0 {
		case 1 :
			_fallbackAction = seccomp.ActErrno.SetReturnCode (int16 (syscall.EPERM))
		case 2 :
			_fallbackAction = seccomp.ActLog
	}
	
	_filter, _error := seccomp.NewFilter (_fallbackAction)
	if _error != nil {
		return _error
	}
	
	for _, _architecture := range _architectures {
		if _error := _filter.AddArch (_architecture); _error != nil {
			return _error
		}
	}
	
	for _, _syscall := range _syscalls {
		
		var _sc_syscall seccomp.ScmpSyscall
		switch {
			
			case _syscall[0] == '!' :
				continue
			
			default :
				if _sc_syscall_0, _error := seccomp.GetSyscallFromNameByArch (_syscall, seccomp.ArchNative); _error == nil {
					_sc_syscall = _sc_syscall_0
				} else {
					return fmt.Errorf ("[5cf9cd60]  failed resolving syscall `%s`:  %w", _syscall, _error)
				}
		}
		
		if _error := _filter.AddRule (_sc_syscall, seccomp.ActAllow); _error != nil {
			return _error
		}
	}
	
	if _error = _filter.Load (); _error != nil {
		return _error
	}
	
	return nil
}
[server] Add initial working Linux `seccomp` filter for the server. 2022-09-11 17:19:56 +00:00

			`//go:build linux && amd64 && seccomp`




			`package seccomp`


			`import "fmt"`
			`import "syscall"`


			`import "github.com/seccomp/libseccomp-golang"`




			`func init () {`

			`Supported = true`

			`if false {`

			`_filter, _error := seccomp.NewFilter (seccomp.ActLog)`
			`if _error != nil {`
			`panic (_error)`
			`}`

			`if _error = _filter.Load (); _error != nil {`
			`panic (_error)`
			`}`
			`}`
			`}`




			`func AllowOnlySyscalls (_syscalls []string) (error) {`

			`_architectures := []seccomp.ScmpArch {`
			`seccomp.ArchNative,`
			`seccomp.ArchX86,`
			`seccomp.ArchX32,`
			`seccomp.ArchAMD64,`
			`}`

			`_fallbackAction := seccomp.ActKill`
			`switch 0 {`
			`case 1 :`
			`_fallbackAction = seccomp.ActErrno.SetReturnCode (int16 (syscall.EPERM))`
			`case 2 :`
			`_fallbackAction = seccomp.ActLog`
			`}`

			`_filter, _error := seccomp.NewFilter (_fallbackAction)`
			`if _error != nil {`
			`return _error`
			`}`

			`for _, _architecture := range _architectures {`
			`if _error := _filter.AddArch (_architecture); _error != nil {`
			`return _error`
			`}`
			`}`

			`for _, _syscall := range _syscalls {`

			`var _sc_syscall seccomp.ScmpSyscall`
			`switch {`

			`case _syscall[0] == '!' :`
			`continue`

			`default :`
			`if _sc_syscall_0, _error := seccomp.GetSyscallFromNameByArch (_syscall, seccomp.ArchNative); _error == nil {`
			`_sc_syscall = _sc_syscall_0`
			`} else {`
			return fmt.Errorf ("[5cf9cd60] failed resolving syscall `%s`: %w", _syscall, _error)
			`}`
			`}`

			`if _error := _filter.AddRule (_sc_syscall, seccomp.ActAllow); _error != nil {`
			`return _error`
			`}`
			`}`

			`if _error = _filter.Load (); _error != nil {`
			`return _error`
			`}`

			`return nil`
			`}`