kawipiko/sources/lib/seccomp/supported.go

96 lines
1.6 KiB
Go
Raw Normal View History

//go:build linux && amd64 && seccomp
package seccomp
import "fmt"
import "syscall"
import "github.com/seccomp/libseccomp-golang"
func init () {
Supported = true
if false {
_filter, _error := seccomp.NewFilter (seccomp.ActLog)
if _error != nil {
panic (_error)
}
if _error = _filter.Load (); _error != nil {
panic (_error)
}
}
}
func AllowOnlySyscalls (_syscalls []string) (error) {
_architectures := []seccomp.ScmpArch {
seccomp.ArchNative,
seccomp.ArchX86,
seccomp.ArchX32,
seccomp.ArchAMD64,
}
_fallbackAction := seccomp.ActKill
switch 0 {
case 1 :
_fallbackAction = seccomp.ActErrno.SetReturnCode (int16 (syscall.EPERM))
case 2 :
_fallbackAction = seccomp.ActLog
}
_filter, _error := seccomp.NewFilter (_fallbackAction)
if _error != nil {
return _error
}
for _, _architecture := range _architectures {
if _error := _filter.AddArch (_architecture); _error != nil {
return _error
}
}
for _, _syscall := range _syscalls {
var _sc_syscall seccomp.ScmpSyscall
switch {
case _syscall[0] == '!' :
continue
default :
if _sc_syscall_0, _error := seccomp.GetSyscallFromNameByArch (_syscall, seccomp.ArchNative); _error == nil {
_sc_syscall = _sc_syscall_0
} else {
return fmt.Errorf ("[5cf9cd60] failed resolving syscall `%s`: %w", _syscall, _error)
}
}
if _error := _filter.AddRule (_sc_syscall, seccomp.ActAllow); _error != nil {
return _error
}
}
if _error = _filter.Load (); _error != nil {
return _error
}
return nil
}