Documentation
¶
Index ¶
Constants ¶
View Source
const ( LaunchMethodSudo uint8 = iota LaunchMethodMachineCtl )
Variables ¶
View Source
var ( ErrConfig = errors.New("no configuration to seal") ErrUser = errors.New("unknown user") ErrLaunch = errors.New("invalid launch method") ErrSudo = errors.New("sudo not available") ErrSystemd = errors.New("systemd not available") ErrMachineCtl = errors.New("machinectl not available") )
View Source
var ( ErrWayland = errors.New(waylandDisplay + " unset") ErrXDisplay = errors.New(display + " unset") )
Functions ¶
This section is empty.
Types ¶
type App ¶
type App interface {
// ID returns a copy of App's unique ID.
ID() ID
// Start sets up the system and starts the App.
Start() error
// Wait waits for App's process to exit and reverts system setup.
Wait() (int, error)
// WaitErr returns error returned by the underlying wait syscall.
WaitErr() error
Seal(config *Config) error
String() string
}
type Config ¶
type Config struct {
// D-Bus application ID
ID string `json:"id"`
// username of the target user to switch to
User string `json:"user"`
// value passed through to the child process as its argv
Command []string `json:"command"`
// string representation of the child's launch method
Method string `json:"method"`
// child confinement configuration
Confinement ConfinementConfig `json:"confinement"`
}
Config is used to seal an *App
type ConfinementConfig ¶
type ConfinementConfig struct {
// bwrap sandbox confinement configuration
Sandbox *SandboxConfig `json:"sandbox"`
// reference to a system D-Bus proxy configuration,
// nil value disables system bus proxy
SystemBus *dbus.Config `json:"system_bus,omitempty"`
// reference to a session D-Bus proxy configuration,
// nil value makes session bus proxy assume built-in defaults
SessionBus *dbus.Config `json:"session_bus,omitempty"`
// child capability enablements
Enablements system.Enablements `json:"enablements"`
}
ConfinementConfig defines fortified child's confinement
type FilesystemConfig ¶
type FilesystemConfig struct {
// mount point in sandbox, same as src if empty
Dst string `json:"dst,omitempty"`
// host filesystem path to make available to sandbox
Src string `json:"src"`
// write access
Write bool `json:"write,omitempty"`
// device access
Device bool `json:"dev,omitempty"`
// exit if unable to share
Must bool `json:"require,omitempty"`
}
type RevertCompoundError ¶
type SandboxConfig ¶
type SandboxConfig struct {
// unix hostname within sandbox
Hostname string `json:"hostname,omitempty"`
// userns availability within sandbox
UserNS bool `json:"userns,omitempty"`
// share net namespace
Net bool `json:"net,omitempty"`
// do not run in new session
NoNewSession bool `json:"no_new_session,omitempty"`
// map target user uid to privileged user uid in the user namespace
UseRealUID bool `json:"use_real_uid"`
// mediated access to wayland socket
Wayland bool `json:"wayland,omitempty"`
// final environment variables
Env map[string]string `json:"env"`
// sandbox host filesystem access
Filesystem []*FilesystemConfig `json:"filesystem"`
// symlinks created inside the sandbox
Link [][2]string `json:"symlink"`
// paths to override by mounting tmpfs over them
Override []string `json:"override"`
}
SandboxConfig describes resources made available to the sandbox.
type StateStoreError ¶
type StateStoreError struct {
// whether inner function was called
Inner bool
// error returned by state.Store Do method
DoErr error
// error returned by state.Backend Save method
InnerErr error
// any other errors needing to be tracked
Err error
}
StateStoreError is returned for a failed state save
func (*StateStoreError) Error ¶
func (e *StateStoreError) Error() string
func (*StateStoreError) Unwrap ¶
func (e *StateStoreError) Unwrap() (errs []error)
Source Files
Click to show internal directories.
Click to hide internal directories.