// Operator is a comparison operator to be used when matching syscall arguments in Seccomp
typeOperatorint
const(
EqualToOperator=iota+1
NotEqualTo
GreaterThan
GreaterThanOrEqualTo
LessThan
LessThanOrEqualTo
MaskEqualTo
)
// Arg is a rule to match a specific syscall argument in Seccomp
typeArgstruct{
Indexuint`json:"index"`
Valueuint64`json:"value"`
ValueTwouint64`json:"value_two"`
OpOperator`json:"op"`
}
// Syscall is a rule to match a syscall in Seccomp
typeSyscallstruct{
Namestring`json:"name"`
ActionAction`json:"action"`
Args[]*Arg`json:"args"`
}
// TODO Windows. Many of these fields should be factored out into those parts
// which are common across platforms, and those which are platform specific.
// Config defines configuration options for executing a process inside a contained environment.
typeConfigstruct{
// NoPivotRoot will use MS_MOVE and a chroot to jail the process into the container's rootfs
// This is a common option when the container is running in ramdisk
NoPivotRootbool`json:"no_pivot_root"`
// ParentDeathSignal specifies the signal that is sent to the container's process in the case
// that the parent process dies.
ParentDeathSignalint`json:"parent_death_signal"`
// Path to a directory containing the container's root filesystem.
Rootfsstring`json:"rootfs"`
// Readonlyfs will remount the container's rootfs as readonly where only externally mounted
// bind mounts are writtable.
Readonlyfsbool`json:"readonlyfs"`
// Specifies the mount propagation flags to be applied to /.
RootPropagationint`json:"rootPropagation"`
// Mounts specify additional source and destination paths that will be mounted inside the container's
// rootfs and mount namespace if specified
Mounts[]*Mount`json:"mounts"`
// The device nodes that should be automatically created within the container upon container start. Note, make sure that the node is marked as allowed in the cgroup as well!
Devices[]*Device`json:"devices"`
MountLabelstring`json:"mount_label"`
// Hostname optionally sets the container's hostname if provided
Hostnamestring`json:"hostname"`
// Namespaces specifies the container's namespaces that it should setup when cloning the init process
// If a namespace is not provided that namespace is shared from the container's parent process
NamespacesNamespaces`json:"namespaces"`
// Capabilities specify the capabilities to keep when executing the process inside the container
// All capabilities not specified will be dropped from the processes capability mask
Capabilities*Capabilities`json:"capabilities"`
// Networks specifies the container's network setup to be created
Networks[]*Network`json:"networks"`
// Routes can be specified to create entries in the route table as the container is started
Routes[]*Route`json:"routes"`
// Cgroups specifies specific cgroup settings for the various subsystems that the container is
// placed into to limit the resources the container has available
Cgroups*Cgroup`json:"cgroups"`
// AppArmorProfile specifies the profile to apply to the process running in the container and is