Documentation
¶
Index ¶
- Constants
- type Builder
- type ChmodConfig
- type Config
- func (c *Config) Args() (args []string)
- func (c *Config) Bind(src, dest string, opts ...bool) *Config
- func (c *Config) DevTmpfs(dest string) *Config
- func (c *Config) Dir(dest string) *Config
- func (c *Config) Mqueue(dest string) *Config
- func (c *Config) Procfs(dest string) *Config
- func (c *Config) RemountRO(dest string) *Config
- func (c *Config) SetGID(gid int) *Config
- func (c *Config) SetUID(uid int) *Config
- func (c *Config) Symlink(src, dest string, perm ...os.FileMode) *Config
- func (c *Config) Tmpfs(dest string, size int, perm ...os.FileMode) *Config
- type FSBuilder
- type PermConfig
- type SymlinkConfig
- type TmpfsConfig
- type UnshareConfig
Constants ¶
View Source
const ( Tmpfs = iota Dir Symlink )
View Source
const ( UserNS Clearenv NewSession DieWithParent AsInit )
View Source
const ( UID = iota GID Perms Size )
View Source
const ( SetEnv = iota Bind BindTry DevBind DevBindTry ROBind ROBindTry Chmod )
View Source
const ( Hostname = iota Chdir UnsetEnv LockFile RemountRO Procfs DevTmpfs Mqueue )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ChmodConfig ¶
func (ChmodConfig) Append ¶
func (c ChmodConfig) Append(args *[]string)
func (ChmodConfig) Len ¶
func (c ChmodConfig) Len() int
type Config ¶
type Config struct {
// (--unshare-all)
Unshare *UnshareConfig `json:"unshare,omitempty"`
// retain the network namespace (can only combine with nil Unshare)
// (--share-net)
Net bool `json:"net"`
// disable further use of user namespaces inside sandbox and fail unless
// further use of user namespace inside sandbox is disabled if false
// (--disable-userns) (--assert-userns-disabled)
UserNS bool `json:"userns"`
// custom uid in the sandbox, requires new user namespace
// (--uid UID)
UID *int `json:"uid,omitempty"`
// custom gid in the sandbox, requires new user namespace
// (--gid GID)
GID *int `json:"gid,omitempty"`
// custom hostname in the sandbox, requires new uts namespace
// (--hostname NAME)
Hostname string `json:"hostname,omitempty"`
// change directory
// (--chdir DIR)
Chdir string `json:"chdir,omitempty"`
// unset all environment variables
// (--clearenv)
Clearenv bool `json:"clearenv"`
// set environment variable
// (--setenv VAR VALUE)
SetEnv map[string]string `json:"setenv,omitempty"`
// unset environment variables
// (--unsetenv VAR)
UnsetEnv []string `json:"unsetenv,omitempty"`
// take a lock on file while sandbox is running
// (--lock-file DEST)
LockFile []string `json:"lock_file,omitempty"`
// ordered filesystem args
Filesystem []FSBuilder
// change permissions (must already exist)
// (--chmod OCTAL PATH)
Chmod ChmodConfig `json:"chmod,omitempty"`
// create a new terminal session
// (--new-session)
NewSession bool `json:"new_session"`
// kills with SIGKILL child process (COMMAND) when bwrap or bwrap's parent dies.
// (--die-with-parent)
DieWithParent bool `json:"die_with_parent"`
// do not install a reaper process with PID=1
// (--as-pid-1)
AsInit bool `json:"as_init"`
}
func (*Config) Bind ¶
Bind binds mount src on host to dest in sandbox.
Bind(src, dest) bind mount host path readonly on sandbox (--ro-bind SRC DEST). Bind(src, dest, true) equal to ROBind but ignores non-existent host path (--ro-bind-try SRC DEST).
Bind(src, dest, false, true) bind mount host path on sandbox. (--bind SRC DEST). Bind(src, dest, true, true) equal to Bind but ignores non-existent host path (--bind-try SRC DEST).
Bind(src, dest, false, true, true) bind mount host path on sandbox, allowing device access (--dev-bind SRC DEST). Bind(src, dest, true, true, true) equal to DevBind but ignores non-existent host path (--dev-bind-try SRC DEST).
func (*Config) RemountRO ¶
RemountRO remount path as readonly; does not recursively remount (--remount-ro DEST)
func (*Config) SetGID ¶
SetGID sets custom gid in the sandbox, requires new user namespace (--gid GID).
func (*Config) SetUID ¶
SetUID sets custom uid in the sandbox, requires new user namespace (--uid UID).
type PermConfig ¶
type PermConfig[T FSBuilder] struct { // set permissions of next argument // (--perms OCTAL) Mode *os.FileMode `json:"mode,omitempty"` // path to get the new permission // (--bind-data, --file, etc.) Inner T `json:"path"` }
func (*PermConfig[T]) Append ¶
func (p *PermConfig[T]) Append(args *[]string)
func (*PermConfig[T]) Len ¶
func (p *PermConfig[T]) Len() int
func (*PermConfig[T]) Path ¶
func (p *PermConfig[T]) Path() string
type SymlinkConfig ¶
type SymlinkConfig [2]string
func (SymlinkConfig) Append ¶
func (s SymlinkConfig) Append(args *[]string)
func (SymlinkConfig) Len ¶
func (s SymlinkConfig) Len() int
func (SymlinkConfig) Path ¶
func (s SymlinkConfig) Path() string
type TmpfsConfig ¶
type TmpfsConfig struct {
// set size of tmpfs
// (--size BYTES)
Size int `json:"size,omitempty"`
// mount point of new tmpfs
// (--tmpfs DEST)
Dir string `json:"dir"`
}
func (*TmpfsConfig) Append ¶
func (t *TmpfsConfig) Append(args *[]string)
func (*TmpfsConfig) Len ¶
func (t *TmpfsConfig) Len() int
func (*TmpfsConfig) Path ¶
func (t *TmpfsConfig) Path() string
type UnshareConfig ¶
type UnshareConfig struct {
// create new user namespace
User bool `json:"user"`
// create new ipc namespace
IPC bool `json:"ipc"`
// create new pid namespace
PID bool `json:"pid"`
// create new network namespace
Net bool `json:"net"`
// create new uts namespace
UTS bool `json:"uts"`
// create new cgroup namespace
CGroup bool `json:"cgroup"`
}
Source Files
Click to show internal directories.
Click to hide internal directories.