Documentation
¶
Overview ¶
Package seccomp exposes the committed outer-container seccomp profile as an embedded byte slice so the `by admin install-seccomp` CLI subcommand can drop it on operators' disks without requiring network access.
The profile is generated by cmd/seccomp-merge from upstream-default.json + blockyard-outer-overlay.json and committed at internal/seccomp/blockyard-outer.json. Go's //go:embed directive rejects ".." in patterns, so the file MUST live in this directory (hence internal/seccomp/, not docker/). Dockerfiles COPY from this path against the repo-root build context.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var Outer []byte
Outer is the blockyard outer-container seccomp profile: Docker's default profile with an unconditional allow for clone/clone3/ unshare/setns so bwrap can --unshare-user inside the container without CAP_SYS_ADMIN. Operators apply it with `--security-opt seccomp=<path>`.
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files