Documentation ¶
Overview ¶
Package fsgofer implements p9.File giving access to local files using a simple mapping from a path prefix that is added to the path requested by the sandbox. Ex:
prefix: "/docker/imgs/alpine" app path: /bin/ls => /docker/imgs/alpine/bin/ls
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewAttachPoint ¶
NewAttachPoint creates a new attacher that gives local file access to all files under 'prefix'. 'prefix' must be an absolute path.
func OpenProcSelfFD ¶
func OpenProcSelfFD() error
OpenProcSelfFD opens the /proc/self/fd directory, which will be used to reopen file descriptors.
Types ¶
type Config ¶
type Config struct { // ROMount is set to true if this is a readonly mount. ROMount bool // PanicOnWrite panics on attempts to write to RO mounts. PanicOnWrite bool // HostUDS signals whether the gofer can mount a host's UDS. HostUDS bool // EnableVerityXattr allows access to extended attributes used by the // verity file system. EnableVerityXattr bool }
Config sets configuration options for each attach point.
type LisafsServer ¶
LisafsServer implements lisafs.ServerImpl for fsgofer.
func NewLisafsServer ¶
func NewLisafsServer(config Config) *LisafsServer
NewLisafsServer initializes a new lisafs server for fsgofer.
func (*LisafsServer) MaxMessageSize ¶
func (s *LisafsServer) MaxMessageSize() uint32
MaxMessageSize implements lisafs.ServerImpl.MaxMessageSize.
func (*LisafsServer) Mount ¶
func (s *LisafsServer) Mount(c *lisafs.Connection, mountPath string) (lisafs.ControlFDImpl, lisafs.Inode, error)
Mount implements lisafs.ServerImpl.Mount.
func (*LisafsServer) SupportedMessages ¶
func (s *LisafsServer) SupportedMessages() []lisafs.MID
SupportedMessages implements lisafs.ServerImpl.SupportedMessages.
Directories ¶
Path | Synopsis |
---|---|
Package filter defines all syscalls the gofer is allowed to make, and installs seccomp filters to prevent prohibited syscalls in case it's compromised.
|
Package filter defines all syscalls the gofer is allowed to make, and installs seccomp filters to prevent prohibited syscalls in case it's compromised. |