bwrap

package
v0.2.16 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 19, 2025 License: MIT Imports: 9 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	DataWrite = iota
	DataBind
	DataROBind
)

Variables

This section is empty.

Functions

This section is empty.

Types

type BoolArg added in v0.2.9 

type BoolArg int
const (
	UnshareAll BoolArg = iota
	UnshareUser
	UnshareIPC
	UnsharePID
	UnshareNet
	UnshareUTS
	UnshareCGroup
	ShareNet

	UserNS
	Clearenv

	NewSession
	DieWithParent
	AsInit
)

func (BoolArg) Unwrap added in v0.2.9 

func (b BoolArg) Unwrap() []string

type Builder 

type Builder interface {
	Len() int
	Append(args *[]string)
}

type ChmodConfig 

type ChmodConfig map[string]os.FileMode

func (ChmodConfig) Append 

func (c ChmodConfig) Append(args *[]string)

func (ChmodConfig) Len 

func (c ChmodConfig) Len() int

type Config 

type Config struct {
	// unshare every namespace we support by default if nil
	// (--unshare-all)
	Unshare *UnshareConfig `json:"unshare,omitempty"`
	// retain the network namespace (can only combine with nil Unshare)
	// (--share-net)
	Net bool `json:"net"`

	// disable further use of user namespaces inside sandbox and fail unless
	// further use of user namespace inside sandbox is disabled if false
	// (--disable-userns) (--assert-userns-disabled)
	UserNS bool `json:"userns"`

	// custom uid in the sandbox, requires new user namespace
	// (--uid UID)
	UID *int `json:"uid,omitempty"`
	// custom gid in the sandbox, requires new user namespace
	// (--gid GID)
	GID *int `json:"gid,omitempty"`
	// custom hostname in the sandbox, requires new uts namespace
	// (--hostname NAME)
	Hostname string `json:"hostname,omitempty"`

	// change directory
	// (--chdir DIR)
	Chdir string `json:"chdir,omitempty"`
	// unset all environment variables
	// (--clearenv)
	Clearenv bool `json:"clearenv"`
	// set environment variable
	// (--setenv VAR VALUE)
	SetEnv map[string]string `json:"setenv,omitempty"`
	// unset environment variables
	// (--unsetenv VAR)
	UnsetEnv []string `json:"unsetenv,omitempty"`

	// take a lock on file while sandbox is running
	// (--lock-file DEST)
	LockFile []string `json:"lock_file,omitempty"`

	// ordered filesystem args
	Filesystem []FSBuilder `json:"filesystem,omitempty"`

	// change permissions (must already exist)
	// (--chmod OCTAL PATH)
	Chmod ChmodConfig `json:"chmod,omitempty"`

	// load and use seccomp rules from FD (not repeatable)
	// (--seccomp FD)
	Syscall *SyscallPolicy

	// create a new terminal session
	// (--new-session)
	NewSession bool `json:"new_session"`
	// kills with SIGKILL child process (COMMAND) when bwrap or bwrap's parent dies.
	// (--die-with-parent)
	DieWithParent bool `json:"die_with_parent"`
	// do not install a reaper process with PID=1
	// (--as-pid-1)
	AsInit bool `json:"as_init"`
}

func (*Config) Args 

func (c *Config) Args(syncFd *os.File, extraFiles *proc.ExtraFilesPre, files *[]proc.File) (args []string)

Args returns a slice of bwrap args corresponding to c.

func (*Config) Bind 

func (c *Config) Bind(src, dest string, opts ...bool) *Config

Bind binds mount src on host to dest in sandbox.

Bind(src, dest) bind mount host path readonly on sandbox (--ro-bind SRC DEST). Bind(src, dest, true) equal to ROBind but ignores non-existent host path (--ro-bind-try SRC DEST).

Bind(src, dest, false, true) bind mount host path on sandbox. (--bind SRC DEST). Bind(src, dest, true, true) equal to Bind but ignores non-existent host path (--bind-try SRC DEST).

Bind(src, dest, false, true, true) bind mount host path on sandbox, allowing device access (--dev-bind SRC DEST). Bind(src, dest, true, true, true) equal to DevBind but ignores non-existent host path (--dev-bind-try SRC DEST).

func (*Config) CopyBind added in v0.2.14 

func (c *Config) CopyBind(dest string, payload []byte, opts ...bool) *Config

CopyBind copy from FD to file which is readonly bind-mounted on DEST (--ro-bind-data FD DEST)

CopyBind(dest, payload, true) copy from FD to file which is bind-mounted on DEST (--bind-data FD DEST)

func (*Config) CopyBindRef added in v0.2.15 

func (c *Config) CopyBindRef(dest string, payloadRef **[]byte, opts ...bool) *Config

CopyBindRef is the same as CopyBind but writes the address of DataConfig.Data.

func (*Config) DevTmpfs 

func (c *Config) DevTmpfs(dest string) *Config

DevTmpfs mount new dev in sandbox (--dev DEST)

func (*Config) Dir 

func (c *Config) Dir(dest string) *Config

Dir create dir in sandbox (--dir DEST)

func (*Config) Join added in v0.2.9 

func (c *Config) Join(dest string, src ...string) *Config

Join mount overlayfs read-only on DEST (--ro-overlay DEST)

func (*Config) Mqueue 

func (c *Config) Mqueue(dest string) *Config

Mqueue mount new mqueue in sandbox (--mqueue DEST)

func (*Config) Overlay added in v0.2.9 

func (c *Config) Overlay(dest string, src ...string) *Config

Overlay mount overlayfs on DEST, with writes going to an invisible tmpfs (--tmp-overlay DEST)

func (*Config) Persist added in v0.2.9 

func (c *Config) Persist(dest, rwsrc, workdir string, src ...string) *Config

Persist mount overlayfs on DEST, with RWSRC as the host path for writes and WORKDIR an empty directory on the same filesystem as RWSRC (--overlay RWSRC WORKDIR DEST)

func (*Config) Procfs 

func (c *Config) Procfs(dest string) *Config

Procfs mount new procfs in sandbox (--proc DEST)

func (*Config) RemountRO 

func (c *Config) RemountRO(dest string) *Config

RemountRO remount path as readonly; does not recursively remount (--remount-ro DEST)

func (*Config) SetGID 

func (c *Config) SetGID(gid int) *Config

SetGID sets custom gid in the sandbox, requires new user namespace (--gid GID).

func (*Config) SetUID 

func (c *Config) SetUID(uid int) *Config

SetUID sets custom uid in the sandbox, requires new user namespace (--uid UID). 

func (c *Config) Symlink(src, dest string, perm ...os.FileMode) *Config

Symlink create symlink within sandbox (--symlink SRC DEST)

func (*Config) Tmpfs 

func (c *Config) Tmpfs(dest string, size int, perm ...os.FileMode) *Config

Tmpfs mount new tmpfs in sandbox (--tmpfs DEST)

func (*Config) WriteFile added in v0.2.16 

func (c *Config) WriteFile(name string, data []byte) *Config

WriteFile copy from FD to destination DEST (--file FD DEST)

type DataConfig added in v0.2.14 

type DataConfig struct {
	Dest string `json:"dest"`
	Data []byte `json:"data,omitempty"`
	Type int    `json:"type"`
	proc.File
}

func (*DataConfig) Append added in v0.2.14 

func (d *DataConfig) Append(args *[]string)

func (*DataConfig) Init added in v0.2.14 

func (d *DataConfig) Init(fd uintptr, v **os.File) uintptr

func (*DataConfig) Len added in v0.2.14 

func (d *DataConfig) Len() int

func (*DataConfig) Path added in v0.2.14 

func (d *DataConfig) Path() string

func (*DataConfig) WriteTo added in v0.2.14 

func (d *DataConfig) WriteTo(w io.Writer) (int64, error)

type FDBuilder added in v0.2.11 

type FDBuilder interface {
	proc.File
	Builder
}

type FSBuilder 

type FSBuilder interface {
	Path() string
	Builder
}

type IntArg added in v0.2.9 

type IntArg int
const (
	UID IntArg = iota
	GID
)

func (IntArg) Unwrap added in v0.2.9 

func (i IntArg) Unwrap() string

type OverlayConfig added in v0.2.9 

type OverlayConfig struct {
	/*
		read files from SRC in the following overlay
		(--overlay-src SRC)
	*/
	Src []string `json:"src,omitempty"`

	/*
		mount overlayfs on DEST, with RWSRC as the host path for writes and
		WORKDIR an empty directory on the same filesystem as RWSRC
		(--overlay RWSRC WORKDIR DEST)

		if nil, mount overlayfs on DEST, with writes going to an invisible tmpfs
		(--tmp-overlay DEST)

		if either strings are empty, mount overlayfs read-only on DEST
		(--ro-overlay DEST)
	*/
	Persist *[2]string `json:"persist,omitempty"`

	/*
		--overlay RWSRC WORKDIR DEST

		--tmp-overlay DEST

		--ro-overlay DEST
	*/
	Dest string `json:"dest"`
}

func (*OverlayConfig) Append added in v0.2.9 

func (o *OverlayConfig) Append(args *[]string)

func (*OverlayConfig) Len added in v0.2.9 

func (o *OverlayConfig) Len() int

func (*OverlayConfig) Path added in v0.2.9 

func (o *OverlayConfig) Path() string

type PairArg added in v0.2.9 

type PairArg int
const (
	SetEnv PairArg = iota
)

func (PairArg) Unwrap added in v0.2.9 

func (p PairArg) Unwrap() string

type PermConfig 

type PermConfig[T FSBuilder] struct {
	// set permissions of next argument
	// (--perms OCTAL)
	Mode *os.FileMode `json:"mode,omitempty"`
	// path to get the new permission
	// (--bind-data, --file, etc.)
	Inner T `json:"path"`
}

func (*PermConfig[T]) Append 

func (p *PermConfig[T]) Append(args *[]string)

func (*PermConfig[T]) Len 

func (p *PermConfig[T]) Len() int

func (*PermConfig[T]) Path 

func (p *PermConfig[T]) Path() string

type PositionalArg added in v0.2.9 

type PositionalArg int
const (
	Tmpfs PositionalArg = iota
	Symlink

	Bind
	BindTry
	DevBind
	DevBindTry
	ROBind
	ROBindTry

	Chmod
	Dir
	RemountRO
	Procfs
	DevTmpfs
	Mqueue

	Perms
	Size

	OverlaySrc
	Overlay
	TmpOverlay
	ROOverlay

	SyncFd
	Seccomp

	File
	BindData
	ROBindData
)

func (PositionalArg) String added in v0.2.14 

func (p PositionalArg) String() string

type StringArg added in v0.2.9 

type StringArg int
const (
	Hostname StringArg = iota
	Chdir
	UnsetEnv
	LockFile
)

func (StringArg) Unwrap added in v0.2.9 

func (s StringArg) Unwrap() string

type SymlinkConfig 

type SymlinkConfig [2]string

func (SymlinkConfig) Append 

func (s SymlinkConfig) Append(args *[]string)

func (SymlinkConfig) Len 

func (s SymlinkConfig) Len() int

func (SymlinkConfig) Path 

func (s SymlinkConfig) Path() string

type SyscallPolicy added in v0.2.11 

type SyscallPolicy struct {
	// disable fortify extensions
	Compat bool `json:"compat"`
	// deny development syscalls
	DenyDevel bool `json:"deny_devel"`
	// deny multiarch/emulation syscalls
	Multiarch bool `json:"multiarch"`
	// allow PER_LINUX32
	Linux32 bool `json:"linux32"`
	// allow AF_CAN
	Can bool `json:"can"`
	// allow AF_BLUETOOTH
	Bluetooth bool `json:"bluetooth"`
}

type TmpfsConfig 

type TmpfsConfig struct {
	// set size of tmpfs
	// (--size BYTES)
	Size int `json:"size,omitempty"`
	// mount point of new tmpfs
	// (--tmpfs DEST)
	Dir string `json:"dir"`
}

func (*TmpfsConfig) Append 

func (t *TmpfsConfig) Append(args *[]string)

func (*TmpfsConfig) Len 

func (t *TmpfsConfig) Len() int

func (*TmpfsConfig) Path 

func (t *TmpfsConfig) Path() string

type UnshareConfig 

type UnshareConfig struct {
	// (--unshare-user)
	// create new user namespace
	User bool `json:"user"`
	// (--unshare-ipc)
	// create new ipc namespace
	IPC bool `json:"ipc"`
	// (--unshare-pid)
	// create new pid namespace
	PID bool `json:"pid"`
	// (--unshare-net)
	// create new network namespace
	Net bool `json:"net"`
	// (--unshare-uts)
	// create new uts namespace
	UTS bool `json:"uts"`
	// (--unshare-cgroup)
	// create new cgroup namespace
	CGroup bool `json:"cgroup"`
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.