fst

package
v0.2.7 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 22, 2024 License: MIT Imports: 8 Imported by: 0

Documentation

Overview

Package fst exports shared fortify types.

Index

Constants

View Source 
const Tmp = "/.fortify"

Variables

View Source 
var (
	ErrInvalidLength = errors.New("string representation must have a length of 32")
)

Functions

func NewAppID 

func NewAppID(id *ID) error

func ParseAppID 

func ParseAppID(id *ID, s string) error

Types

type Config 

type Config struct {
	// D-Bus application ID
	ID string `json:"id"`
	// value passed through to the child process as its argv
	Command []string `json:"command"`

	// child confinement configuration
	Confinement ConfinementConfig `json:"confinement"`
}

Config is used to seal an *App

func Template 

func Template() *Config

Template returns a fully populated instance of Config.

type ConfinementConfig 

type ConfinementConfig struct {
	// numerical application id, determines uid in the init namespace
	AppID int `json:"app_id"`
	// list of supplementary groups to inherit
	Groups []string `json:"groups"`
	// passwd username in the sandbox, defaults to chronos
	Username string `json:"username,omitempty"`
	// home directory in sandbox, empty for outer
	Inner string `json:"home_inner"`
	// home directory in init namespace
	Outer string `json:"home"`
	// bwrap sandbox confinement configuration
	Sandbox *SandboxConfig `json:"sandbox"`

	// reference to a system D-Bus proxy configuration,
	// nil value disables system bus proxy
	SystemBus *dbus.Config `json:"system_bus,omitempty"`
	// reference to a session D-Bus proxy configuration,
	// nil value makes session bus proxy assume built-in defaults
	SessionBus *dbus.Config `json:"session_bus,omitempty"`

	// child capability enablements
	Enablements system.Enablements `json:"enablements"`
}

ConfinementConfig defines fortified child's confinement

type FilesystemConfig 

type FilesystemConfig struct {
	// mount point in sandbox, same as src if empty
	Dst string `json:"dst,omitempty"`
	// host filesystem path to make available to sandbox
	Src string `json:"src"`
	// write access
	Write bool `json:"write,omitempty"`
	// device access
	Device bool `json:"dev,omitempty"`
	// exit if unable to share
	Must bool `json:"require,omitempty"`
}

type ID 

type ID [16]byte

func (*ID) String 

func (a *ID) String() string

type SandboxConfig 

type SandboxConfig struct {
	// unix hostname within sandbox
	Hostname string `json:"hostname,omitempty"`
	// userns availability within sandbox
	UserNS bool `json:"userns,omitempty"`
	// share net namespace
	Net bool `json:"net,omitempty"`
	// share all devices
	Dev bool `json:"dev,omitempty"`
	// do not run in new session
	NoNewSession bool `json:"no_new_session,omitempty"`
	// map target user uid to privileged user uid in the user namespace
	MapRealUID bool `json:"map_real_uid"`
	// direct access to wayland socket
	DirectWayland bool `json:"direct_wayland,omitempty"`

	// final environment variables
	Env map[string]string `json:"env"`
	// sandbox host filesystem access
	Filesystem []*FilesystemConfig `json:"filesystem"`
	// symlinks created inside the sandbox
	Link [][2]string `json:"symlink"`
	// automatically set up /etc symlinks
	AutoEtc bool `json:"auto_etc"`
	// paths to override by mounting tmpfs over them
	Override []string `json:"override"`
}

SandboxConfig describes resources made available to the sandbox.

func (*SandboxConfig) Bwrap 

func (s *SandboxConfig) Bwrap(os linux.System) (*bwrap.Config, error)

Bwrap returns the address of the corresponding bwrap.Config to s. Note that remaining tmpfs entries must be queued by the caller prior to launch.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.