pub struct SeccompManager { /* private fields */ }Expand description
Seccomp filter manager
Implements syscall whitelisting for the security state machine (NucleusSecurity_Seccomp_SeccompEnforcement.tla)
Implementations§
Source§impl SeccompManager
impl SeccompManager
pub fn new() -> Self
Sourcepub fn compile_minimal_filter() -> Result<BpfProgram>
pub fn compile_minimal_filter() -> Result<BpfProgram>
Compile the minimal BPF filter without applying it
This is useful for benchmarking filter compilation overhead without the irreversible side effect of applying the filter.
Sourcepub fn apply_minimal_filter(&mut self) -> Result<bool>
pub fn apply_minimal_filter(&mut self) -> Result<bool>
Apply seccomp filter
This implements the transition: no_filter -> whitelist_active in the seccomp state machine (NucleusSecurity_Seccomp_SeccompEnforcement.tla)
Once applied, the filter cannot be removed (irreversible property) In rootless mode or if seccomp setup fails, this will warn and continue
Sourcepub fn apply_minimal_filter_with_mode(
&mut self,
best_effort: bool,
log_denied: bool,
) -> Result<bool>
pub fn apply_minimal_filter_with_mode( &mut self, best_effort: bool, log_denied: bool, ) -> Result<bool>
Apply seccomp filter with configurable failure behavior
When best_effort is true, failures are logged and execution continues.
When false, seccomp setup is fail-closed.
Sourcepub fn apply_filter_for_network_mode(
&mut self,
allow_network: bool,
best_effort: bool,
log_denied: bool,
) -> Result<bool>
pub fn apply_filter_for_network_mode( &mut self, allow_network: bool, best_effort: bool, log_denied: bool, ) -> Result<bool>
Apply seccomp filter with network-mode-aware socket restrictions
When allow_network is false, SYS_socket is restricted to AF_UNIX only,
preventing creation of network sockets (AF_INET, AF_INET6, etc.).
When allow_network is true, all socket domains are permitted.
When best_effort is true, failures are logged and execution continues.
When false, seccomp setup is fail-closed.
Sourcepub fn apply_profile_from_file(
&mut self,
profile_path: &Path,
expected_sha256: Option<&str>,
audit_mode: bool,
) -> Result<bool>
pub fn apply_profile_from_file( &mut self, profile_path: &Path, expected_sha256: Option<&str>, audit_mode: bool, ) -> Result<bool>
Apply a seccomp profile loaded from a JSON file.
The profile format is a JSON object with:
{
"defaultAction": "SCMP_ACT_ERRNO",
"syscalls": [
{ "names": ["read", "write", "open", ...], "action": "SCMP_ACT_ALLOW" }
]
}This is a subset of the OCI seccomp profile format. Only the syscall name allowlist is used; argument-level filtering from the built-in profile is not applied when using a custom profile.
If expected_sha256 is provided, the file’s SHA-256 hash is verified
against it before loading. This prevents silent profile tampering.
Sourcepub fn apply_trace_filter(&mut self) -> Result<bool>
pub fn apply_trace_filter(&mut self) -> Result<bool>
Install an allow-all seccomp filter with SECCOMP_FILTER_FLAG_LOG.
Used in trace mode: all syscalls are allowed but logged to the kernel audit subsystem. A separate reader collects the logged syscalls.
Sourcepub fn is_applied(&self) -> bool
pub fn is_applied(&self) -> bool
Check if seccomp filter has been applied