Documentation
¶
Index ¶
- Constants
- func EnsureImage(ctx context.Context, dockerfilePath string) error
- type Sandbox
- func (s *Sandbox) Cleanup(ctx context.Context) error
- func (s *Sandbox) ContainerID() string
- func (s *Sandbox) Create(ctx context.Context) error
- func (s *Sandbox) Exec(ctx context.Context, command []string) ([]byte, error)
- func (s *Sandbox) ImportCommands() [][]string
- func (s *Sandbox) ImportCommandsMulti(pkgs []string) [][]string
- func (s *Sandbox) InstallAllCommand(pkgs []string) []string
- func (s *Sandbox) InstallCommand() []string
- func (s *Sandbox) InstallPackage(ctx context.Context) ([]byte, error)
- func (s *Sandbox) Logs(ctx context.Context) (string, error)
- func (s *Sandbox) PID(ctx context.Context) (uint32, error)
- func (s *Sandbox) Pause(ctx context.Context) error
- func (s *Sandbox) SetLocalMode(local bool)
- func (s *Sandbox) Start(ctx context.Context) error
- func (s *Sandbox) StartPaused(ctx context.Context) error
- func (s *Sandbox) Unpause(ctx context.Context) error
- func (s *Sandbox) WriteProbeScripts(ctx context.Context)
- func (s *Sandbox) WriteProbeScriptsMulti(ctx context.Context, pkgs []string)
Constants ¶
const ( RuntimeDefault = "" // Docker default (runc). RuntimeGVisor = "runsc" // gVisor user-space kernel. )
Runtime selects the container runtime.
const SandboxImage = "kojuto-sandbox:latest"
SandboxImage is the Docker image used for the sandbox container.
const SandboxPythonVersion = "3.12"
SandboxPythonVersion must match the Python version in Dockerfile.sandbox.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Sandbox ¶
type Sandbox struct {
// contains filtered or unexported fields
}
Sandbox manages a Docker container for isolated package installation.
func (*Sandbox) ContainerID ¶
ContainerID returns the container ID.
func (*Sandbox) Create ¶
Create creates the sandbox container without starting it. The container is configured with an isolated network, --no-new-privileges, and --read-only. Writable tmpfs mounts are provided only where needed. The host filesystem is protected by Docker's copy-on-write isolation. When SYS_PTRACE is needed, a restrictive seccomp profile is applied.
func (*Sandbox) Exec ¶
Exec runs a command inside the sandbox container and returns the combined output.
func (*Sandbox) ImportCommands ¶
ImportCommands returns commands to import/require the installed package under multiple simulated OS identities. This defeats OS-gated payloads that only activate on specific platforms (e.g. "if Windows: attack()").
For Python: patches platform.system(), sys.platform, os.name before import. For Node.js: overrides process.platform before require().
Each command simulates a different target OS so that platform-conditional code paths are exercised regardless of the container's actual OS.
func (*Sandbox) ImportCommandsMulti ¶ added in v0.4.0
ImportCommandsMulti returns 3 import commands (one per OS identity) that import all packages.
func (*Sandbox) InstallAllCommand ¶ added in v0.4.0
InstallAllCommand returns a pip install command that installs multiple packages at once. All wheels must already be in the mount point directory.
func (*Sandbox) InstallCommand ¶
InstallCommand returns the install command for the ecosystem.
func (*Sandbox) InstallPackage ¶
InstallPackage runs the install command inside the sandbox.
func (*Sandbox) SetLocalMode ¶ added in v0.4.0
SetLocalMode enables local package installation mode (sdist support).
func (*Sandbox) Start ¶
Start creates and starts the sandbox container (convenience for strace-container mode which does not need the pause-before-probe pattern).
func (*Sandbox) StartPaused ¶
StartPaused starts the container and immediately pauses it. This minimizes the TOCTOU window between container start and probe attachment.
func (*Sandbox) WriteProbeScripts ¶
WriteProbeScripts writes the OS-simulation import scripts into the container's /tmp directory. Must be called before ImportCommands.
Source Files