summaryrefslogtreecommitdiffhomepage
path: root/pkg/seccomp/BUILD
AgeCommit message (Collapse)Author
2020-10-02Convert uses of the binary package in kernel to go-marshal.Rahat Mahmood
PiperOrigin-RevId: 335077195
2020-08-25Add nogo support to go_binary and go_test targets.Adin Scannell
Updates #3374 PiperOrigin-RevId: 328378700
2020-08-13Merge pull request #3476 from zhlhahaha:1930gVisor bot
PiperOrigin-RevId: 326563255
2020-08-12enable seccomp test on arm64Howard Zhang
syscalls in ARM64 is different from that in X86_64, use differen syscallrules for each arch. The auditnumber are also different for different arch. Use LINUX_AUDIT_ARCH to get correct auditnumber. Signed-off-by: Howard Zhang <howard.zhang@arm.com>
2020-02-10Update visibility.Adin Scannell
PiperOrigin-RevId: 294265019
2020-01-27Standardize on tools directory.Adin Scannell
PiperOrigin-RevId: 291745021
2019-09-12Remove go_test from go_stateify and go_marshalMichael Pratt
They are no-ops, so the standard rule works fine. PiperOrigin-RevId: 268776264
2019-06-13Update canonical repository.Adin Scannell
This can be merged after: https://github.com/google/gvisor-website/pull/77 or https://github.com/google/gvisor-website/pull/78 PiperOrigin-RevId: 253132620
2019-05-03Add arm64 support to pkg/seccompBin Lu
Signed-off-by: Bin Lu <bin.lu@arm.com> PiperOrigin-RevId: 246622505 Change-Id: I803639a0c5b0f75959c64fee5385314214834d10
2019-01-31Remove license commentsMichael Pratt
Nothing reads them and they can simply get stale. Generated with: $ sed -i "s/licenses(\(.*\)).*/licenses(\1)/" **/BUILD PiperOrigin-RevId: 231818945 Change-Id: Ibc3f9838546b7e94f13f217060d31f4ada9d4bf0
2018-10-23Track paths and provide a rename hook.Adin Scannell
This change also adds extensive testing to the p9 package via mocks. The sanity checks and type checks are moved from the gofer into the core package, where they can be more easily validated. PiperOrigin-RevId: 218296768 Change-Id: I4fc3c326e7bf1e0e140a454cbacbcc6fd617ab55
2018-10-10Add seccomp filter configuration to ptrace stubs.Adin Scannell
This is a defense-in-depth measure. If the sentry is compromised, this prevents system call injection to the stubs. There is some complexity with respect to ptrace and seccomp interactions, so this protection is not really available for kernel versions < 4.8; this is detected dynamically. Note that this also solves the vsyscall emulation issue by adding in appropriate trapping for those system calls. It does mean that a compromised sentry could theoretically inject these into the stub (ignoring the trap and resume, thereby allowing execution), but they are harmless. PiperOrigin-RevId: 216647581 Change-Id: Id06c232cbac1f9489b1803ec97f83097fcba8eb8
2018-07-27stateify: support explicit annotation mode; convert refs and stack packages.Zhaozhong Ni
We have been unnecessarily creating too many savable types implicitly. PiperOrigin-RevId: 206334201 Change-Id: Idc5a3a14bfb7ee125c4f2bb2b1c53164e46f29a8
2018-06-01Add SyscallRules that supports argument filteringZhengyu He
PiperOrigin-RevId: 198919043 Change-Id: I7f1f0a3b3430cd0936a4ee4fc6859aab71820bdf
2018-04-28Check in gVisor.Googler
PiperOrigin-RevId: 194583126 Change-Id: Ica1d8821a90f74e7e745962d71801c598c652463