nsjail

package
v0.4.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 24, 2023 License: BSD-3-Clause Imports: 4 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	Default_IdMap_InsideId    = string("")
	Default_IdMap_OutsideId   = string("")
	Default_IdMap_Count       = uint32(1)
	Default_IdMap_UseNewidmap = bool(false)
)

Default values for IdMap fields.

View Source 
const (
	Default_MountPt_Src          = string("")
	Default_MountPt_PrefixSrcEnv = string("")
	Default_MountPt_Dst          = string("")
	Default_MountPt_PrefixDstEnv = string("")
	Default_MountPt_Fstype       = string("")
	Default_MountPt_Options      = string("")
	Default_MountPt_IsBind       = bool(false)
	Default_MountPt_Rw           = bool(false)
	Default_MountPt_Mandatory    = bool(true)
	Default_MountPt_IsSymlink    = bool(false)
	Default_MountPt_Nosuid       = bool(false)
	Default_MountPt_Nodev        = bool(false)
	Default_MountPt_Noexec       = bool(false)
)

Default values for MountPt fields.

View Source 
const (
	Default_NsJailConfig_Name                    = string("")
	Default_NsJailConfig_Mode                    = Mode_ONCE
	Default_NsJailConfig_Hostname                = string("NSJAIL")
	Default_NsJailConfig_Cwd                     = string("/")
	Default_NsJailConfig_NoPivotroot             = bool(false)
	Default_NsJailConfig_Port                    = uint32(0)
	Default_NsJailConfig_Bindhost                = string("::")
	Default_NsJailConfig_MaxConns                = uint32(0)
	Default_NsJailConfig_MaxConnsPerIp           = uint32(0)
	Default_NsJailConfig_TimeLimit               = uint32(600)
	Default_NsJailConfig_Daemon                  = bool(false)
	Default_NsJailConfig_MaxCpus                 = uint32(0)
	Default_NsJailConfig_KeepEnv                 = bool(false)
	Default_NsJailConfig_KeepCaps                = bool(false)
	Default_NsJailConfig_Silent                  = bool(false)
	Default_NsJailConfig_SkipSetsid              = bool(false)
	Default_NsJailConfig_StderrToNull            = bool(false)
	Default_NsJailConfig_DisableNoNewPrivs       = bool(false)
	Default_NsJailConfig_RlimitAs                = uint64(4096)
	Default_NsJailConfig_RlimitAsType            = RLimit_VALUE
	Default_NsJailConfig_RlimitCore              = uint64(0)
	Default_NsJailConfig_RlimitCoreType          = RLimit_VALUE
	Default_NsJailConfig_RlimitCpu               = uint64(600)
	Default_NsJailConfig_RlimitCpuType           = RLimit_VALUE
	Default_NsJailConfig_RlimitFsize             = uint64(1)
	Default_NsJailConfig_RlimitFsizeType         = RLimit_VALUE
	Default_NsJailConfig_RlimitNofile            = uint64(32)
	Default_NsJailConfig_RlimitNofileType        = RLimit_VALUE
	Default_NsJailConfig_RlimitNproc             = uint64(1024)
	Default_NsJailConfig_RlimitNprocType         = RLimit_SOFT
	Default_NsJailConfig_RlimitStack             = uint64(8)
	Default_NsJailConfig_RlimitStackType         = RLimit_SOFT
	Default_NsJailConfig_RlimitMemlock           = uint64(64)
	Default_NsJailConfig_RlimitMemlockType       = RLimit_SOFT
	Default_NsJailConfig_RlimitRtprio            = uint64(0)
	Default_NsJailConfig_RlimitRtprioType        = RLimit_SOFT
	Default_NsJailConfig_RlimitMsgqueue          = uint64(1024)
	Default_NsJailConfig_RlimitMsgqueueType      = RLimit_SOFT
	Default_NsJailConfig_DisableRl               = bool(false)
	Default_NsJailConfig_PersonaAddrCompatLayout = bool(false)
	Default_NsJailConfig_PersonaMmapPageZero     = bool(false)
	Default_NsJailConfig_PersonaReadImpliesExec  = bool(false)
	Default_NsJailConfig_PersonaAddrLimit_3Gb    = bool(false)
	Default_NsJailConfig_PersonaAddrNoRandomize  = bool(false)
	Default_NsJailConfig_CloneNewnet             = bool(true)
	Default_NsJailConfig_CloneNewuser            = bool(true)
	Default_NsJailConfig_CloneNewns              = bool(true)
	Default_NsJailConfig_CloneNewpid             = bool(true)
	Default_NsJailConfig_CloneNewipc             = bool(true)
	Default_NsJailConfig_CloneNewuts             = bool(true)
	Default_NsJailConfig_CloneNewcgroup          = bool(true)
	Default_NsJailConfig_CloneNewtime            = bool(false)
	Default_NsJailConfig_MountProc               = bool(false)
	Default_NsJailConfig_CgroupMemMax            = uint64(0)
	Default_NsJailConfig_CgroupMemMemswMax       = uint64(0)
	Default_NsJailConfig_CgroupMemSwapMax        = int64(-1)
	Default_NsJailConfig_CgroupMemMount          = string("/sys/fs/cgroup/memory")
	Default_NsJailConfig_CgroupMemParent         = string("NSJAIL")
	Default_NsJailConfig_CgroupPidsMax           = uint64(0)
	Default_NsJailConfig_CgroupPidsMount         = string("/sys/fs/cgroup/pids")
	Default_NsJailConfig_CgroupPidsParent        = string("NSJAIL")
	Default_NsJailConfig_CgroupNetClsClassid     = uint32(0)
	Default_NsJailConfig_CgroupNetClsMount       = string("/sys/fs/cgroup/net_cls")
	Default_NsJailConfig_CgroupNetClsParent      = string("NSJAIL")
	Default_NsJailConfig_CgroupCpuMsPerSec       = uint32(0)
	Default_NsJailConfig_CgroupCpuMount          = string("/sys/fs/cgroup/cpu")
	Default_NsJailConfig_CgroupCpuParent         = string("NSJAIL")
	Default_NsJailConfig_Cgroupv2Mount           = string("/sys/fs/cgroup")
	Default_NsJailConfig_UseCgroupv2             = bool(false)
	Default_NsJailConfig_IfaceNoLo               = bool(false)
	Default_NsJailConfig_MacvlanVsIp             = string("192.168.0.2")
	Default_NsJailConfig_MacvlanVsNm             = string("255.255.255.0")
	Default_NsJailConfig_MacvlanVsGw             = string("192.168.0.1")
	Default_NsJailConfig_MacvlanVsMa             = string("")
	Default_NsJailConfig_MacvlanVsMo             = string("private")
	Default_NsJailConfig_NiceLevel               = int32(19)
	Default_NsJailConfig_DisableTsc              = bool(false)
	Default_NsJailConfig_ForwardSignals          = bool(false)
)

Default values for NsJailConfig fields.

View Source 
const (
	Default_Exe_ExecFd = bool(false)
)

Default values for Exe fields.

Variables

View Source 
var (
	Mode_name = map[int32]string{
		0: "LISTEN",
		1: "ONCE",
		2: "RERUN",
		3: "EXECVE",
	}
	Mode_value = map[string]int32{
		"LISTEN": 0,
		"ONCE":   1,
		"RERUN":  2,
		"EXECVE": 3,
	}
)

Enum value maps for Mode.

View Source 
var (
	LogLevel_name = map[int32]string{
		0: "DEBUG",
		1: "INFO",
		2: "WARNING",
		3: "ERROR",
		4: "FATAL",
	}
	LogLevel_value = map[string]int32{
		"DEBUG":   0,
		"INFO":    1,
		"WARNING": 2,
		"ERROR":   3,
		"FATAL":   4,
	}
)

Enum value maps for LogLevel.

View Source 
var (
	RLimit_name = map[int32]string{
		0: "VALUE",
		1: "SOFT",
		2: "HARD",
		3: "INF",
	}
	RLimit_value = map[string]int32{
		"VALUE": 0,
		"SOFT":  1,
		"HARD":  2,
		"INF":   3,
	}
)

Enum value maps for RLimit.

View Source 
var (
	Default_MountPt_SrcContent = []byte("")
)

Default values for MountPt fields.

View Source 
var File_config_proto protoreflect.FileDescriptor

Functions

This section is empty.

Types

type Exe 

type Exe struct {

	// Will be used both as execv's path and as argv[0]
	Path *string `protobuf:"bytes,1,req,name=path" json:"path,omitempty"`
	// This will be argv[1] and so on..
	Arg []string `protobuf:"bytes,2,rep,name=arg" json:"arg,omitempty"`
	// Override argv[0]
	Arg0 *string `protobuf:"bytes,3,opt,name=arg0" json:"arg0,omitempty"`
	// Should execveat() be used to execute a file-descriptor instead?
	ExecFd *bool `protobuf:"varint,4,opt,name=exec_fd,json=execFd,def=0" json:"exec_fd,omitempty"`
	// contains filtered or unexported fields
}

func (*Exe) Descriptor deprecated 

func (*Exe) Descriptor() ([]byte, []int)

Deprecated: Use Exe.ProtoReflect.Descriptor instead.

func (*Exe) GetArg 

func (x *Exe) GetArg() []string

func (*Exe) GetArg0 

func (x *Exe) GetArg0() string

func (*Exe) GetExecFd 

func (x *Exe) GetExecFd() bool

func (*Exe) GetPath 

func (x *Exe) GetPath() string

func (*Exe) ProtoMessage 

func (*Exe) ProtoMessage()

func (*Exe) ProtoReflect 

func (x *Exe) ProtoReflect() protoreflect.Message

func (*Exe) Reset 

func (x *Exe) Reset()

func (*Exe) String 

func (x *Exe) String() string

type IdMap 

type IdMap struct {

	// Empty string means "current uid/gid"
	InsideId  *string `protobuf:"bytes,1,opt,name=inside_id,json=insideId,def=" json:"inside_id,omitempty"`
	OutsideId *string `protobuf:"bytes,2,opt,name=outside_id,json=outsideId,def=" json:"outside_id,omitempty"`
	// See 'man user_namespaces' for the meaning of count
	Count *uint32 `protobuf:"varint,3,opt,name=count,def=1" json:"count,omitempty"`
	// Does this map use /usr/bin/new[u|g]idmap binary?
	UseNewidmap *bool `protobuf:"varint,4,opt,name=use_newidmap,json=useNewidmap,def=0" json:"use_newidmap,omitempty"`
	// contains filtered or unexported fields
}

func (*IdMap) Descriptor deprecated 

func (*IdMap) Descriptor() ([]byte, []int)

Deprecated: Use IdMap.ProtoReflect.Descriptor instead.

func (*IdMap) GetCount 

func (x *IdMap) GetCount() uint32

func (*IdMap) GetInsideId 

func (x *IdMap) GetInsideId() string

func (*IdMap) GetOutsideId 

func (x *IdMap) GetOutsideId() string

func (*IdMap) GetUseNewidmap 

func (x *IdMap) GetUseNewidmap() bool

func (*IdMap) ProtoMessage 

func (*IdMap) ProtoMessage()

func (*IdMap) ProtoReflect 

func (x *IdMap) ProtoReflect() protoreflect.Message

func (*IdMap) Reset 

func (x *IdMap) Reset()

func (*IdMap) String 

func (x *IdMap) String() string

type LogLevel 

type LogLevel int32

Should be self explanatory 

const (
	LogLevel_DEBUG   LogLevel = 0 // Equivalent to the '-v' cmd-line option
	LogLevel_INFO    LogLevel = 1 // Default level
	LogLevel_WARNING LogLevel = 2 // Equivalent to the '-q' cmd-line option
	LogLevel_ERROR   LogLevel = 3
	LogLevel_FATAL   LogLevel = 4
)

func (LogLevel) Descriptor 

func (LogLevel) Descriptor() protoreflect.EnumDescriptor

func (LogLevel) Enum 

func (x LogLevel) Enum() *LogLevel

func (LogLevel) EnumDescriptor deprecated 

func (LogLevel) EnumDescriptor() ([]byte, []int)

Deprecated: Use LogLevel.Descriptor instead.

func (LogLevel) Number 

func (x LogLevel) Number() protoreflect.EnumNumber

func (LogLevel) String 

func (x LogLevel) String() string

func (LogLevel) Type 

func (LogLevel) Type() protoreflect.EnumType

func (*LogLevel) UnmarshalJSON deprecated 

func (x *LogLevel) UnmarshalJSON(b []byte) error

Deprecated: Do not use.

type Mode 

type Mode int32
const (
	Mode_LISTEN Mode = 0 // Listening on a TCP port
	Mode_ONCE   Mode = 1 // Running the command once only
	Mode_RERUN  Mode = 2 // Re-executing the command (forever)
	Mode_EXECVE Mode = 3 // Executing command w/o the supervisor
)

func (Mode) Descriptor 

func (Mode) Descriptor() protoreflect.EnumDescriptor

func (Mode) Enum 

func (x Mode) Enum() *Mode

func (Mode) EnumDescriptor deprecated 

func (Mode) EnumDescriptor() ([]byte, []int)

Deprecated: Use Mode.Descriptor instead.

func (Mode) Number 

func (x Mode) Number() protoreflect.EnumNumber

func (Mode) String 

func (x Mode) String() string

func (Mode) Type 

func (Mode) Type() protoreflect.EnumType

func (*Mode) UnmarshalJSON deprecated 

func (x *Mode) UnmarshalJSON(b []byte) error

Deprecated: Do not use.

type MountPt 

type MountPt struct {

	// Can be skipped for filesystems like 'proc'
	Src *string `protobuf:"bytes,1,opt,name=src,def=" json:"src,omitempty"`
	// Should 'src' path be prefixed with this envar?
	PrefixSrcEnv *string `protobuf:"bytes,2,opt,name=prefix_src_env,json=prefixSrcEnv,def=" json:"prefix_src_env,omitempty"`
	// If specified, contains buffer that will be written to the dst file
	SrcContent []byte `protobuf:"bytes,3,opt,name=src_content,json=srcContent,def=" json:"src_content,omitempty"`
	// Mount point inside jail
	Dst *string `protobuf:"bytes,4,req,name=dst,def=" json:"dst,omitempty"`
	// Should 'dst' path be prefixed with this envar?
	PrefixDstEnv *string `protobuf:"bytes,5,opt,name=prefix_dst_env,json=prefixDstEnv,def=" json:"prefix_dst_env,omitempty"`
	// Can be empty for mount --bind mounts
	Fstype *string `protobuf:"bytes,6,opt,name=fstype,def=" json:"fstype,omitempty"`
	// E.g. size=5000000 for 'tmpfs'
	Options *string `protobuf:"bytes,7,opt,name=options,def=" json:"options,omitempty"`
	// Is it a 'mount --bind src dst' type of mount?
	IsBind *bool `protobuf:"varint,8,opt,name=is_bind,json=isBind,def=0" json:"is_bind,omitempty"`
	// Is it a R/W mount?
	Rw *bool `protobuf:"varint,9,opt,name=rw,def=0" json:"rw,omitempty"`
	// Is it a directory? If not specified an internal
	// heuristics will be used to determine that
	IsDir *bool `protobuf:"varint,10,opt,name=is_dir,json=isDir" json:"is_dir,omitempty"`
	// Should the sandboxing fail if we cannot mount this resource?
	Mandatory *bool `protobuf:"varint,11,opt,name=mandatory,def=1" json:"mandatory,omitempty"`
	// Is it a symlink (instead of real mount point)?
	IsSymlink *bool `protobuf:"varint,12,opt,name=is_symlink,json=isSymlink,def=0" json:"is_symlink,omitempty"`
	// Is it a nosuid mount
	Nosuid *bool `protobuf:"varint,13,opt,name=nosuid,def=0" json:"nosuid,omitempty"`
	// Is it a nodev mount
	Nodev *bool `protobuf:"varint,14,opt,name=nodev,def=0" json:"nodev,omitempty"`
	// Is it a noexec mount
	Noexec *bool `protobuf:"varint,15,opt,name=noexec,def=0" json:"noexec,omitempty"`
	// contains filtered or unexported fields
}

func (*MountPt) Descriptor deprecated 

func (*MountPt) Descriptor() ([]byte, []int)

Deprecated: Use MountPt.ProtoReflect.Descriptor instead.

func (*MountPt) GetDst 

func (x *MountPt) GetDst() string

func (*MountPt) GetFstype 

func (x *MountPt) GetFstype() string

func (*MountPt) GetIsBind 

func (x *MountPt) GetIsBind() bool

func (*MountPt) GetIsDir 

func (x *MountPt) GetIsDir() bool
func (x *MountPt) GetIsSymlink() bool

func (*MountPt) GetMandatory 

func (x *MountPt) GetMandatory() bool

func (*MountPt) GetNodev 

func (x *MountPt) GetNodev() bool

func (*MountPt) GetNoexec 

func (x *MountPt) GetNoexec() bool

func (*MountPt) GetNosuid 

func (x *MountPt) GetNosuid() bool

func (*MountPt) GetOptions 

func (x *MountPt) GetOptions() string

func (*MountPt) GetPrefixDstEnv 

func (x *MountPt) GetPrefixDstEnv() string

func (*MountPt) GetPrefixSrcEnv 

func (x *MountPt) GetPrefixSrcEnv() string

func (*MountPt) GetRw 

func (x *MountPt) GetRw() bool

func (*MountPt) GetSrc 

func (x *MountPt) GetSrc() string

func (*MountPt) GetSrcContent 

func (x *MountPt) GetSrcContent() []byte

func (*MountPt) ProtoMessage 

func (*MountPt) ProtoMessage()

func (*MountPt) ProtoReflect 

func (x *MountPt) ProtoReflect() protoreflect.Message

func (*MountPt) Reset 

func (x *MountPt) Reset()

func (*MountPt) String 

func (x *MountPt) String() string

type NsJailConfig 

type NsJailConfig struct {

	// Optional name and description for this config
	Name        *string  `protobuf:"bytes,1,opt,name=name,def=" json:"name,omitempty"`
	Description []string `protobuf:"bytes,2,rep,name=description" json:"description,omitempty"`
	// Execution mode: see 'msg Mode' description for more
	Mode *Mode `protobuf:"varint,3,opt,name=mode,enum=nsjail.Mode,def=1" json:"mode,omitempty"`
	// Hostname inside jail
	Hostname *string `protobuf:"bytes,4,opt,name=hostname,def=NSJAIL" json:"hostname,omitempty"`
	// Initial current working directory for the binary
	Cwd *string `protobuf:"bytes,5,opt,name=cwd,def=/" json:"cwd,omitempty"`
	// Defines whether to use switch_root or pivot_root
	NoPivotroot *bool `protobuf:"varint,6,opt,name=no_pivotroot,json=noPivotroot,def=0" json:"no_pivotroot,omitempty"`
	// TCP port to listen to. Valid with mode=LISTEN only
	Port *uint32 `protobuf:"varint,7,opt,name=port,def=0" json:"port,omitempty"`
	// Host to bind to for mode=LISTEN. Must be in IPv6 format
	Bindhost *string `protobuf:"bytes,8,opt,name=bindhost,def=::" json:"bindhost,omitempty"`
	// For mode=LISTEN, maximum number of connections across all IPs
	MaxConns *uint32 `protobuf:"varint,9,opt,name=max_conns,json=maxConns,def=0" json:"max_conns,omitempty"`
	// For mode=LISTEN, maximum number of connections from a single IP
	MaxConnsPerIp *uint32 `protobuf:"varint,10,opt,name=max_conns_per_ip,json=maxConnsPerIp,def=0" json:"max_conns_per_ip,omitempty"`
	// Wall-time time limit for commands
	TimeLimit *uint32 `protobuf:"varint,11,opt,name=time_limit,json=timeLimit,def=600" json:"time_limit,omitempty"`
	// Should nsjail go into background?
	Daemon *bool `protobuf:"varint,12,opt,name=daemon,def=0" json:"daemon,omitempty"`
	// Maximum number of CPUs to use: 0 - no limit
	MaxCpus *uint32 `protobuf:"varint,13,opt,name=max_cpus,json=maxCpus,def=0" json:"max_cpus,omitempty"`
	// FD to log to.
	LogFd *int32 `protobuf:"varint,14,opt,name=log_fd,json=logFd" json:"log_fd,omitempty"`
	// File to save logs to.
	LogFile *string `protobuf:"bytes,15,opt,name=log_file,json=logFile" json:"log_file,omitempty"`
	// Minimum log level displayed.
	// See 'msg LogLevel' description for more
	LogLevel *LogLevel `protobuf:"varint,16,opt,name=log_level,json=logLevel,enum=nsjail.LogLevel" json:"log_level,omitempty"`
	// Should the current environment variables be kept
	// when executing the binary
	KeepEnv *bool `protobuf:"varint,17,opt,name=keep_env,json=keepEnv,def=0" json:"keep_env,omitempty"`
	// EnvVars to be set before executing binaries. If the envar doesn't contain '='
	// (e.g. just the 'DISPLAY' string), the current envar value will be used
	Envar []string `protobuf:"bytes,18,rep,name=envar" json:"envar,omitempty"`
	// Should capabilities be preserved or dropped
	KeepCaps *bool `protobuf:"varint,19,opt,name=keep_caps,json=keepCaps,def=0" json:"keep_caps,omitempty"`
	// Which capabilities should be preserved if keep_caps == false.
	// Format: "CAP_SYS_PTRACE"
	Cap []string `protobuf:"bytes,20,rep,name=cap" json:"cap,omitempty"`
	// Should nsjail close FD=0,1,2 before executing the process
	Silent *bool `protobuf:"varint,21,opt,name=silent,def=0" json:"silent,omitempty"`
	// Should the child process have control over terminal?
	// Can be useful to allow /bin/sh to provide
	// job control / signals. Dangerous, can be used to put
	// characters into the controlling terminal back
	SkipSetsid *bool `protobuf:"varint,22,opt,name=skip_setsid,json=skipSetsid,def=0" json:"skip_setsid,omitempty"`
	// Redirect sdterr of the process to /dev/null instead of the socket or original TTY
	StderrToNull *bool `protobuf:"varint,23,opt,name=stderr_to_null,json=stderrToNull,def=0" json:"stderr_to_null,omitempty"`
	// Which FDs should be passed to the newly executed process
	// By default only FD=0,1,2 are passed
	PassFd []int32 `protobuf:"varint,24,rep,name=pass_fd,json=passFd" json:"pass_fd,omitempty"`
	// Setting it to true will allow to have set-uid binaries
	// inside the jail
	DisableNoNewPrivs *bool `protobuf:"varint,25,opt,name=disable_no_new_privs,json=disableNoNewPrivs,def=0" json:"disable_no_new_privs,omitempty"`
	// Various rlimits, the rlimit_as/rlimit_core/... are used only if
	// rlimit_as_type/rlimit_core_type/... are set to RLimit::VALUE
	RlimitAs         *uint64 `protobuf:"varint,26,opt,name=rlimit_as,json=rlimitAs,def=4096" json:"rlimit_as,omitempty"` // In MiB
	RlimitAsType     *RLimit `protobuf:"varint,27,opt,name=rlimit_as_type,json=rlimitAsType,enum=nsjail.RLimit,def=0" json:"rlimit_as_type,omitempty"`
	RlimitCore       *uint64 `protobuf:"varint,28,opt,name=rlimit_core,json=rlimitCore,def=0" json:"rlimit_core,omitempty"` // In MiB
	RlimitCoreType   *RLimit `protobuf:"varint,29,opt,name=rlimit_core_type,json=rlimitCoreType,enum=nsjail.RLimit,def=0" json:"rlimit_core_type,omitempty"`
	RlimitCpu        *uint64 `protobuf:"varint,30,opt,name=rlimit_cpu,json=rlimitCpu,def=600" json:"rlimit_cpu,omitempty"` // In seconds
	RlimitCpuType    *RLimit `protobuf:"varint,31,opt,name=rlimit_cpu_type,json=rlimitCpuType,enum=nsjail.RLimit,def=0" json:"rlimit_cpu_type,omitempty"`
	RlimitFsize      *uint64 `protobuf:"varint,32,opt,name=rlimit_fsize,json=rlimitFsize,def=1" json:"rlimit_fsize,omitempty"` // In MiB
	RlimitFsizeType  *RLimit ``                                                                                                /* 128-byte string literal not displayed */
	RlimitNofile     *uint64 `protobuf:"varint,34,opt,name=rlimit_nofile,json=rlimitNofile,def=32" json:"rlimit_nofile,omitempty"`
	RlimitNofileType *RLimit `` /* 131-byte string literal not displayed */
	// RLIMIT_NPROC is system-wide - tricky to use; use the soft limit value by
	// default here
	RlimitNproc     *uint64 `protobuf:"varint,36,opt,name=rlimit_nproc,json=rlimitNproc,def=1024" json:"rlimit_nproc,omitempty"`
	RlimitNprocType *RLimit `` /* 128-byte string literal not displayed */
	// In MiB, use the soft limit value by default
	RlimitStack     *uint64 `protobuf:"varint,38,opt,name=rlimit_stack,json=rlimitStack,def=8" json:"rlimit_stack,omitempty"`
	RlimitStackType *RLimit `` /* 128-byte string literal not displayed */
	// In KB, use the soft limit value by default
	RlimitMemlock      *uint64 `protobuf:"varint,40,opt,name=rlimit_memlock,json=rlimitMemlock,def=64" json:"rlimit_memlock,omitempty"`
	RlimitMemlockType  *RLimit `` /* 134-byte string literal not displayed */
	RlimitRtprio       *uint64 `protobuf:"varint,42,opt,name=rlimit_rtprio,json=rlimitRtprio,def=0" json:"rlimit_rtprio,omitempty"`
	RlimitRtprioType   *RLimit ``                                                                                                            /* 131-byte string literal not displayed */
	RlimitMsgqueue     *uint64 `protobuf:"varint,44,opt,name=rlimit_msgqueue,json=rlimitMsgqueue,def=1024" json:"rlimit_msgqueue,omitempty"` // In bytes
	RlimitMsgqueueType *RLimit ``                                                                                                            /* 137-byte string literal not displayed */
	// Disable all rlimits, default to limits set by parent
	DisableRl *bool `protobuf:"varint,46,opt,name=disable_rl,json=disableRl,def=0" json:"disable_rl,omitempty"`
	// See 'man personality' for more
	PersonaAddrCompatLayout *bool `` /* 135-byte string literal not displayed */
	PersonaMmapPageZero     *bool `protobuf:"varint,48,opt,name=persona_mmap_page_zero,json=personaMmapPageZero,def=0" json:"persona_mmap_page_zero,omitempty"`
	PersonaReadImpliesExec  *bool `` /* 132-byte string literal not displayed */
	PersonaAddrLimit_3Gb    *bool `protobuf:"varint,50,opt,name=persona_addr_limit_3gb,json=personaAddrLimit3gb,def=0" json:"persona_addr_limit_3gb,omitempty"`
	PersonaAddrNoRandomize  *bool `` /* 132-byte string literal not displayed */
	// Which name-spaces should be used?
	CloneNewnet  *bool `protobuf:"varint,52,opt,name=clone_newnet,json=cloneNewnet,def=1" json:"clone_newnet,omitempty"`
	CloneNewuser *bool `protobuf:"varint,53,opt,name=clone_newuser,json=cloneNewuser,def=1" json:"clone_newuser,omitempty"`
	CloneNewns   *bool `protobuf:"varint,54,opt,name=clone_newns,json=cloneNewns,def=1" json:"clone_newns,omitempty"`
	CloneNewpid  *bool `protobuf:"varint,55,opt,name=clone_newpid,json=cloneNewpid,def=1" json:"clone_newpid,omitempty"`
	CloneNewipc  *bool `protobuf:"varint,56,opt,name=clone_newipc,json=cloneNewipc,def=1" json:"clone_newipc,omitempty"`
	CloneNewuts  *bool `protobuf:"varint,57,opt,name=clone_newuts,json=cloneNewuts,def=1" json:"clone_newuts,omitempty"`
	// Disable for kernel versions < 4.6 as it's not supported there
	CloneNewcgroup *bool `protobuf:"varint,58,opt,name=clone_newcgroup,json=cloneNewcgroup,def=1" json:"clone_newcgroup,omitempty"`
	// Supported with kernel versions >= 5.3
	CloneNewtime *bool `protobuf:"varint,59,opt,name=clone_newtime,json=cloneNewtime,def=0" json:"clone_newtime,omitempty"`
	// Mappings for UIDs and GIDs. See the description for 'msg IdMap'
	// for more
	Uidmap []*IdMap `protobuf:"bytes,60,rep,name=uidmap" json:"uidmap,omitempty"`
	Gidmap []*IdMap `protobuf:"bytes,61,rep,name=gidmap" json:"gidmap,omitempty"`
	// Should /proc be mounted (R/O)? This can also be added in the 'mount'
	// section below
	MountProc *bool `protobuf:"varint,62,opt,name=mount_proc,json=mountProc,def=0" json:"mount_proc,omitempty"`
	// Mount points inside the jail. See the description for 'msg MountPt'
	// for more
	Mount []*MountPt `protobuf:"bytes,63,rep,name=mount" json:"mount,omitempty"`
	// If > 0, maximum cumulative size of RAM used inside any jail
	CgroupMemMax *uint64 `protobuf:"varint,67,opt,name=cgroup_mem_max,json=cgroupMemMax,def=0" json:"cgroup_mem_max,omitempty"` // In bytes
	// If > 0, maximum cumulative size of RAM + swap used inside any jail
	CgroupMemMemswMax *uint64 `protobuf:"varint,91,opt,name=cgroup_mem_memsw_max,json=cgroupMemMemswMax,def=0" json:"cgroup_mem_memsw_max,omitempty"` // In bytes
	// If >= 0, maximum cumulative size of swap used inside any jail
	CgroupMemSwapMax *int64 `protobuf:"varint,92,opt,name=cgroup_mem_swap_max,json=cgroupMemSwapMax,def=-1" json:"cgroup_mem_swap_max,omitempty"` // In bytes
	// Mount point for cgroups-memory in your system
	CgroupMemMount *string `protobuf:"bytes,68,opt,name=cgroup_mem_mount,json=cgroupMemMount,def=/sys/fs/cgroup/memory" json:"cgroup_mem_mount,omitempty"`
	// Writeable directory (for the nsjail user) under cgroup_mem_mount
	CgroupMemParent *string `protobuf:"bytes,69,opt,name=cgroup_mem_parent,json=cgroupMemParent,def=NSJAIL" json:"cgroup_mem_parent,omitempty"`
	// If > 0, maximum number of PIDs (threads/processes) inside jail
	CgroupPidsMax *uint64 `protobuf:"varint,70,opt,name=cgroup_pids_max,json=cgroupPidsMax,def=0" json:"cgroup_pids_max,omitempty"`
	// Mount point for cgroups-pids in your system
	CgroupPidsMount *string `` /* 126-byte string literal not displayed */
	// Writeable directory (for the nsjail user) under cgroup_pids_mount
	CgroupPidsParent *string `protobuf:"bytes,72,opt,name=cgroup_pids_parent,json=cgroupPidsParent,def=NSJAIL" json:"cgroup_pids_parent,omitempty"`
	// If > 0, Class identifier of network packets inside jail
	CgroupNetClsClassid *uint32 `protobuf:"varint,73,opt,name=cgroup_net_cls_classid,json=cgroupNetClsClassid,def=0" json:"cgroup_net_cls_classid,omitempty"`
	// Mount point for cgroups-net-cls in your system
	CgroupNetClsMount *string `` /* 137-byte string literal not displayed */
	// Writeable directory (for the nsjail user) under cgroup_net_mount
	CgroupNetClsParent *string `protobuf:"bytes,75,opt,name=cgroup_net_cls_parent,json=cgroupNetClsParent,def=NSJAIL" json:"cgroup_net_cls_parent,omitempty"`
	// If > 0, number of milliseconds of CPU time per second that jailed processes can use
	CgroupCpuMsPerSec *uint32 `protobuf:"varint,76,opt,name=cgroup_cpu_ms_per_sec,json=cgroupCpuMsPerSec,def=0" json:"cgroup_cpu_ms_per_sec,omitempty"`
	// Mount point for cgroups-cpu in your system
	CgroupCpuMount *string `protobuf:"bytes,77,opt,name=cgroup_cpu_mount,json=cgroupCpuMount,def=/sys/fs/cgroup/cpu" json:"cgroup_cpu_mount,omitempty"`
	// Writeable directory (for the nsjail user) under cgroup_cpu_mount
	CgroupCpuParent *string `protobuf:"bytes,78,opt,name=cgroup_cpu_parent,json=cgroupCpuParent,def=NSJAIL" json:"cgroup_cpu_parent,omitempty"`
	// Mount point for cgroup v2 in your system
	Cgroupv2Mount *string `protobuf:"bytes,79,opt,name=cgroupv2_mount,json=cgroupv2Mount,def=/sys/fs/cgroup" json:"cgroupv2_mount,omitempty"`
	// Use cgroup v2
	UseCgroupv2 *bool `protobuf:"varint,80,opt,name=use_cgroupv2,json=useCgroupv2,def=0" json:"use_cgroupv2,omitempty"`
	// Should the 'lo' interface be brought up (active) inside this jail?
	IfaceNoLo *bool `protobuf:"varint,81,opt,name=iface_no_lo,json=ifaceNoLo,def=0" json:"iface_no_lo,omitempty"`
	// Put this interface inside the jail
	IfaceOwn []string `protobuf:"bytes,82,rep,name=iface_own,json=ifaceOwn" json:"iface_own,omitempty"`
	// Parameters for the cloned MACVLAN interface inside jail
	MacvlanIface *string `protobuf:"bytes,83,opt,name=macvlan_iface,json=macvlanIface" json:"macvlan_iface,omitempty"` // Interface to be cloned, eg 'eth0'
	MacvlanVsIp  *string `protobuf:"bytes,84,opt,name=macvlan_vs_ip,json=macvlanVsIp,def=192.168.0.2" json:"macvlan_vs_ip,omitempty"`
	MacvlanVsNm  *string `protobuf:"bytes,85,opt,name=macvlan_vs_nm,json=macvlanVsNm,def=255.255.255.0" json:"macvlan_vs_nm,omitempty"`
	MacvlanVsGw  *string `protobuf:"bytes,86,opt,name=macvlan_vs_gw,json=macvlanVsGw,def=192.168.0.1" json:"macvlan_vs_gw,omitempty"`
	MacvlanVsMa  *string `protobuf:"bytes,87,opt,name=macvlan_vs_ma,json=macvlanVsMa,def=" json:"macvlan_vs_ma,omitempty"`
	MacvlanVsMo  *string `protobuf:"bytes,88,opt,name=macvlan_vs_mo,json=macvlanVsMo,def=private" json:"macvlan_vs_mo,omitempty"`
	// Niceness level of the jailed process
	NiceLevel *int32 `protobuf:"varint,89,opt,name=nice_level,json=niceLevel,def=19" json:"nice_level,omitempty"`
	// Binary path (with arguments) to be executed. If not specified here, it
	// can be specified with cmd-line as "-- /path/to/command arg1 arg2"
	ExecBin    *Exe  `protobuf:"bytes,90,opt,name=exec_bin,json=execBin" json:"exec_bin,omitempty"`
	DisableTsc *bool `protobuf:"varint,93,opt,name=disable_tsc,json=disableTsc,def=0" json:"disable_tsc,omitempty"`
	// Set this to true to forward fatal signals to the child process instead
	// of always using SIGKILL.
	ForwardSignals *bool `protobuf:"varint,94,opt,name=forward_signals,json=forwardSignals,def=0" json:"forward_signals,omitempty"`
	// contains filtered or unexported fields
}

func (*NsJailConfig) Descriptor deprecated 

func (*NsJailConfig) Descriptor() ([]byte, []int)

Deprecated: Use NsJailConfig.ProtoReflect.Descriptor instead.

func (*NsJailConfig) GetBindhost 

func (x *NsJailConfig) GetBindhost() string

func (*NsJailConfig) GetCap 

func (x *NsJailConfig) GetCap() []string

func (*NsJailConfig) GetCgroupCpuMount 

func (x *NsJailConfig) GetCgroupCpuMount() string

func (*NsJailConfig) GetCgroupCpuMsPerSec 

func (x *NsJailConfig) GetCgroupCpuMsPerSec() uint32

func (*NsJailConfig) GetCgroupCpuParent 

func (x *NsJailConfig) GetCgroupCpuParent() string

func (*NsJailConfig) GetCgroupMemMax 

func (x *NsJailConfig) GetCgroupMemMax() uint64

func (*NsJailConfig) GetCgroupMemMemswMax added in v0.1.2 

func (x *NsJailConfig) GetCgroupMemMemswMax() uint64

func (*NsJailConfig) GetCgroupMemMount 

func (x *NsJailConfig) GetCgroupMemMount() string

func (*NsJailConfig) GetCgroupMemParent 

func (x *NsJailConfig) GetCgroupMemParent() string

func (*NsJailConfig) GetCgroupMemSwapMax added in v0.1.3 

func (x *NsJailConfig) GetCgroupMemSwapMax() int64

func (*NsJailConfig) GetCgroupNetClsClassid 

func (x *NsJailConfig) GetCgroupNetClsClassid() uint32

func (*NsJailConfig) GetCgroupNetClsMount 

func (x *NsJailConfig) GetCgroupNetClsMount() string

func (*NsJailConfig) GetCgroupNetClsParent 

func (x *NsJailConfig) GetCgroupNetClsParent() string

func (*NsJailConfig) GetCgroupPidsMax 

func (x *NsJailConfig) GetCgroupPidsMax() uint64

func (*NsJailConfig) GetCgroupPidsMount 

func (x *NsJailConfig) GetCgroupPidsMount() string

func (*NsJailConfig) GetCgroupPidsParent 

func (x *NsJailConfig) GetCgroupPidsParent() string

func (*NsJailConfig) GetCgroupv2Mount 

func (x *NsJailConfig) GetCgroupv2Mount() string

func (*NsJailConfig) GetCloneNewcgroup 

func (x *NsJailConfig) GetCloneNewcgroup() bool

func (*NsJailConfig) GetCloneNewipc 

func (x *NsJailConfig) GetCloneNewipc() bool

func (*NsJailConfig) GetCloneNewnet 

func (x *NsJailConfig) GetCloneNewnet() bool

func (*NsJailConfig) GetCloneNewns 

func (x *NsJailConfig) GetCloneNewns() bool

func (*NsJailConfig) GetCloneNewpid 

func (x *NsJailConfig) GetCloneNewpid() bool

func (*NsJailConfig) GetCloneNewtime 

func (x *NsJailConfig) GetCloneNewtime() bool

func (*NsJailConfig) GetCloneNewuser 

func (x *NsJailConfig) GetCloneNewuser() bool

func (*NsJailConfig) GetCloneNewuts 

func (x *NsJailConfig) GetCloneNewuts() bool

func (*NsJailConfig) GetCwd 

func (x *NsJailConfig) GetCwd() string

func (*NsJailConfig) GetDaemon 

func (x *NsJailConfig) GetDaemon() bool

func (*NsJailConfig) GetDescription 

func (x *NsJailConfig) GetDescription() []string

func (*NsJailConfig) GetDisableNoNewPrivs 

func (x *NsJailConfig) GetDisableNoNewPrivs() bool

func (*NsJailConfig) GetDisableRl 

func (x *NsJailConfig) GetDisableRl() bool

func (*NsJailConfig) GetDisableTsc added in v0.3.1 

func (x *NsJailConfig) GetDisableTsc() bool

func (*NsJailConfig) GetEnvar 

func (x *NsJailConfig) GetEnvar() []string

func (*NsJailConfig) GetExecBin 

func (x *NsJailConfig) GetExecBin() *Exe

func (*NsJailConfig) GetForwardSignals added in v0.3.1 

func (x *NsJailConfig) GetForwardSignals() bool

func (*NsJailConfig) GetGidmap 

func (x *NsJailConfig) GetGidmap() []*IdMap

func (*NsJailConfig) GetHostname 

func (x *NsJailConfig) GetHostname() string

func (*NsJailConfig) GetIfaceNoLo 

func (x *NsJailConfig) GetIfaceNoLo() bool

func (*NsJailConfig) GetIfaceOwn 

func (x *NsJailConfig) GetIfaceOwn() []string

func (*NsJailConfig) GetKeepCaps 

func (x *NsJailConfig) GetKeepCaps() bool

func (*NsJailConfig) GetKeepEnv 

func (x *NsJailConfig) GetKeepEnv() bool

func (*NsJailConfig) GetLogFd 

func (x *NsJailConfig) GetLogFd() int32

func (*NsJailConfig) GetLogFile 

func (x *NsJailConfig) GetLogFile() string

func (*NsJailConfig) GetLogLevel 

func (x *NsJailConfig) GetLogLevel() LogLevel

func (*NsJailConfig) GetMacvlanIface 

func (x *NsJailConfig) GetMacvlanIface() string

func (*NsJailConfig) GetMacvlanVsGw 

func (x *NsJailConfig) GetMacvlanVsGw() string

func (*NsJailConfig) GetMacvlanVsIp 

func (x *NsJailConfig) GetMacvlanVsIp() string

func (*NsJailConfig) GetMacvlanVsMa 

func (x *NsJailConfig) GetMacvlanVsMa() string

func (*NsJailConfig) GetMacvlanVsMo 

func (x *NsJailConfig) GetMacvlanVsMo() string

func (*NsJailConfig) GetMacvlanVsNm 

func (x *NsJailConfig) GetMacvlanVsNm() string

func (*NsJailConfig) GetMaxConns 

func (x *NsJailConfig) GetMaxConns() uint32

func (*NsJailConfig) GetMaxConnsPerIp 

func (x *NsJailConfig) GetMaxConnsPerIp() uint32

func (*NsJailConfig) GetMaxCpus 

func (x *NsJailConfig) GetMaxCpus() uint32

func (*NsJailConfig) GetMode 

func (x *NsJailConfig) GetMode() Mode

func (*NsJailConfig) GetMount 

func (x *NsJailConfig) GetMount() []*MountPt

func (*NsJailConfig) GetMountProc 

func (x *NsJailConfig) GetMountProc() bool

func (*NsJailConfig) GetName 

func (x *NsJailConfig) GetName() string

func (*NsJailConfig) GetNiceLevel 

func (x *NsJailConfig) GetNiceLevel() int32

func (*NsJailConfig) GetNoPivotroot 

func (x *NsJailConfig) GetNoPivotroot() bool

func (*NsJailConfig) GetPassFd 

func (x *NsJailConfig) GetPassFd() []int32

func (*NsJailConfig) GetPersonaAddrCompatLayout 

func (x *NsJailConfig) GetPersonaAddrCompatLayout() bool

func (*NsJailConfig) GetPersonaAddrLimit_3Gb 

func (x *NsJailConfig) GetPersonaAddrLimit_3Gb() bool

func (*NsJailConfig) GetPersonaAddrNoRandomize 

func (x *NsJailConfig) GetPersonaAddrNoRandomize() bool

func (*NsJailConfig) GetPersonaMmapPageZero 

func (x *NsJailConfig) GetPersonaMmapPageZero() bool

func (*NsJailConfig) GetPersonaReadImpliesExec 

func (x *NsJailConfig) GetPersonaReadImpliesExec() bool

func (*NsJailConfig) GetPort 

func (x *NsJailConfig) GetPort() uint32

func (*NsJailConfig) GetRlimitAs 

func (x *NsJailConfig) GetRlimitAs() uint64

func (*NsJailConfig) GetRlimitAsType 

func (x *NsJailConfig) GetRlimitAsType() RLimit

func (*NsJailConfig) GetRlimitCore 

func (x *NsJailConfig) GetRlimitCore() uint64

func (*NsJailConfig) GetRlimitCoreType 

func (x *NsJailConfig) GetRlimitCoreType() RLimit

func (*NsJailConfig) GetRlimitCpu 

func (x *NsJailConfig) GetRlimitCpu() uint64

func (*NsJailConfig) GetRlimitCpuType 

func (x *NsJailConfig) GetRlimitCpuType() RLimit

func (*NsJailConfig) GetRlimitFsize 

func (x *NsJailConfig) GetRlimitFsize() uint64

func (*NsJailConfig) GetRlimitFsizeType 

func (x *NsJailConfig) GetRlimitFsizeType() RLimit

func (*NsJailConfig) GetRlimitMemlock 

func (x *NsJailConfig) GetRlimitMemlock() uint64

func (*NsJailConfig) GetRlimitMemlockType 

func (x *NsJailConfig) GetRlimitMemlockType() RLimit

func (*NsJailConfig) GetRlimitMsgqueue 

func (x *NsJailConfig) GetRlimitMsgqueue() uint64

func (*NsJailConfig) GetRlimitMsgqueueType 

func (x *NsJailConfig) GetRlimitMsgqueueType() RLimit

func (*NsJailConfig) GetRlimitNofile 

func (x *NsJailConfig) GetRlimitNofile() uint64

func (*NsJailConfig) GetRlimitNofileType 

func (x *NsJailConfig) GetRlimitNofileType() RLimit

func (*NsJailConfig) GetRlimitNproc 

func (x *NsJailConfig) GetRlimitNproc() uint64

func (*NsJailConfig) GetRlimitNprocType 

func (x *NsJailConfig) GetRlimitNprocType() RLimit

func (*NsJailConfig) GetRlimitRtprio 

func (x *NsJailConfig) GetRlimitRtprio() uint64

func (*NsJailConfig) GetRlimitRtprioType 

func (x *NsJailConfig) GetRlimitRtprioType() RLimit

func (*NsJailConfig) GetRlimitStack 

func (x *NsJailConfig) GetRlimitStack() uint64

func (*NsJailConfig) GetRlimitStackType 

func (x *NsJailConfig) GetRlimitStackType() RLimit

func (*NsJailConfig) GetSilent 

func (x *NsJailConfig) GetSilent() bool

func (*NsJailConfig) GetSkipSetsid 

func (x *NsJailConfig) GetSkipSetsid() bool

func (*NsJailConfig) GetStderrToNull 

func (x *NsJailConfig) GetStderrToNull() bool

func (*NsJailConfig) GetTimeLimit 

func (x *NsJailConfig) GetTimeLimit() uint32

func (*NsJailConfig) GetUidmap 

func (x *NsJailConfig) GetUidmap() []*IdMap

func (*NsJailConfig) GetUseCgroupv2 

func (x *NsJailConfig) GetUseCgroupv2() bool

func (*NsJailConfig) ProtoMessage 

func (*NsJailConfig) ProtoMessage()

func (*NsJailConfig) ProtoReflect 

func (x *NsJailConfig) ProtoReflect() protoreflect.Message

func (*NsJailConfig) Reset 

func (x *NsJailConfig) Reset()

func (*NsJailConfig) String 

func (x *NsJailConfig) String() string

type RLimit 

type RLimit int32
const (
	RLimit_VALUE RLimit = 0 // Use the provided value
	RLimit_SOFT  RLimit = 1 // Use the current soft rlimit
	RLimit_HARD  RLimit = 2 // Use the current hard rlimit
	RLimit_INF   RLimit = 3 // Use RLIM64_INFINITY
)

func (RLimit) Descriptor 

func (RLimit) Descriptor() protoreflect.EnumDescriptor

func (RLimit) Enum 

func (x RLimit) Enum() *RLimit

func (RLimit) EnumDescriptor deprecated 

func (RLimit) EnumDescriptor() ([]byte, []int)

Deprecated: Use RLimit.Descriptor instead.

func (RLimit) Number 

func (x RLimit) Number() protoreflect.EnumNumber

func (RLimit) String 

func (x RLimit) String() string

func (RLimit) Type 

func (RLimit) Type() protoreflect.EnumType

func (*RLimit) UnmarshalJSON deprecated 

func (x *RLimit) UnmarshalJSON(b []byte) error

Deprecated: Do not use.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.