Documentation
¶
Overview ¶
Package unshare implements runner that uses Linux unshare syscall & mount namespace & rlimit to restrict program access
Index ¶
Constants ¶
View Source
const ( UnshareFlags = unix.CLONE_NEWNS | unix.CLONE_NEWPID | unix.CLONE_NEWUSER | unix.CLONE_NEWUTS | unix.CLONE_NEWCGROUP )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Runner ¶
type Runner struct {
// argv and env for the child process
Args []string
Env []string
// fexecve param
ExecFile uintptr
// workdir is the current dir after unshare mount namespaces
WorkDir string
// file disriptors for new process, from 0 to len - 1
Files []uintptr
// Resource limit set by set rlimit
RLimits []rlimit.RLimit
// Resource limit enforced by tracer
Limit runner.Limit
// Seccomp defines the seccomp filter attach to the process (should be whitelist only)
Seccomp seccomp.Filter
// New root
Root string
// Mount syscalls
Mounts []mount.SyscallParams
// hostname & domainname
HostName, DomainName string
// Show Details
ShowDetails bool
// Use by cgroup to add proc
SyncFunc func(pid int) error
}
Runner runs program in unshared namespaces
Source Files
Click to show internal directories.
Click to hide internal directories.