MCPcopy
hub / github.com/lxc/incus / seccompGetPolicyContent

Function seccompGetPolicyContent

internal/server/seccomp/seccomp.go:730–831  ·  view source on GitHub ↗
(s *state.State, c Instance)

Source from the content-addressed store, hash-verified

728}
729
730func seccompGetPolicyContent(s *state.State, c Instance) (string, error) {
731 config := c.ExpandedConfig()
732
733 // Full policy override
734 raw := config["raw.seccomp"]
735 if raw != "" {
736 return raw, nil
737 }
738
739 // Policy header
740 policy := seccompHeader
741 allowlist := config["security.syscalls.allow"]
742 if allowlist == "" {
743 allowlist = config["security.syscalls.whitelist"]
744 }
745
746 if allowlist != "" {
747 policy += "allowlist\n[all]\n"
748 policy += allowlist
749 } else {
750 policy += "denylist\n[all]\n"
751
752 defaultFlag, ok := config["security.syscalls.deny_default"]
753 if !ok {
754 defaultFlag, ok = config["security.syscalls.blacklist_default"]
755 }
756
757 if !ok || util.IsTrue(defaultFlag) {
758 policy += defaultSeccompPolicy
759 }
760 }
761
762 // Syscall interception
763 ok, err := InstanceNeedsIntercept(s, c)
764 if err != nil {
765 return "", err
766 }
767
768 if ok {
769 // Prevent the container from overriding our syscall
770 // supervision.
771 policy += seccompNotifyDisallow
772
773 if util.IsTrue(config["security.syscalls.intercept.mknod"]) {
774 policy += seccompNotifyMknod
775 }
776
777 if util.IsTrue(config["security.syscalls.intercept.sched_setscheduler"]) {
778 policy += seccompNotifySchedSetscheduler
779 }
780
781 if util.IsTrue(config["security.syscalls.intercept.setxattr"]) {
782 policy += seccompNotifySetxattr
783 }
784
785 if util.IsTrue(config["security.syscalls.intercept.sysinfo"]) {
786 policy += seccompNotifySysinfo
787 }

Callers 1

CreateProfileFunction · 0.85

Calls 5

IsTrueFunction · 0.92
ArchitectureNameFunction · 0.92
InstanceNeedsInterceptFunction · 0.85
ExpandedConfigMethod · 0.65
ArchitectureMethod · 0.65

Tested by

no test coverage detected

Used in the wild real call sites across dependent graphs

searching dependent graphs…