RunSeccomp
Object Hierarchy:
Description:
public class RunSeccomp : Object
Seccomp user-notify setup and aggregation for a single bubblewrap run.
Installs NOTIFY rules in the spawn child (before exec into bwrap), passes the notify fd to the parent, and records socket/connect/fs
events on the parent main context. Evidence strings are produced for tool output when NOTIFY succeeds.
Content:
Constants:
Properties:
Creation methods:
Methods:
- public void attach_notify_loop ()
Attach an IO watch on the default main context for NOTIFY while the
subprocess runs.
- public void detach_sources ()
Remove fd source and close fds (safe from exec finally if spawn failed
early).
- public void drain_notify_readable ()
Drain the notify fd until EAGAIN (non-blocking).
- public void finish_evidence_formatting ()
Build network/fs appendix strings from counters (call after process
exit + drain).
- public void finish_handshake ()
After spawn: receive notify fd from child setup.
- public void wire_launcher (SubprocessLauncher launcher)
Prepare a launcher: socketpair, map child end to SYNC_SOCK_CHILD_FD,
child_setup installs filter. NOTIFY policy is read from #bubble in the child (see #child_seccomp_handshake).
Inherited Members:
All known members inherited from class GLib.Object
- @get
- @new
- @ref
- @set
- add_toggle_ref
- add_weak_pointer
- bind_property
- connect
- constructed
- disconnect
- dispose
- dup_data
- dup_qdata
- force_floating
- freeze_notify
- get_class
- get_data
- get_property
- get_qdata
- get_type
- getv
- interface_find_property
- interface_install_property
- interface_list_properties
- is_floating
- new_valist
- new_with_properties
- newv
- notify
- notify_property
- ref_count
- ref_sink
- remove_toggle_ref
- remove_weak_pointer
- replace_data
- replace_qdata
- set_data
- set_data_full
- set_property
- set_qdata
- set_qdata_full
- set_valist
- setv
- steal_data
- steal_qdata
- thaw_notify
- unref
- watch_closure
- weak_ref
- weak_unref