Documentation
¶
Overview ¶
Package permissions provides utilities for managing container permissions and permission profiles for the toolhive application.
Index ¶
Constants ¶
const ( // ProfileNone is the name of the built-in profile with no permissions ProfileNone = "none" // ProfileNetwork is the name of the built-in profile with network permissions ProfileNetwork = "network" )
Built-in permission profile names
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type MountDeclaration ¶
type MountDeclaration string
MountDeclaration represents a mount declaration for a container It can be in one of the following formats:
- A single path: The same path will be mounted from host to container
- host-path:container-path: Different paths for host and container
- resource-uri:container-path: Mount a resource identified by URI to a container path (e.g., volume://name:container-path)
func ParseMountDeclarations ¶
func ParseMountDeclarations(declarations []string) ([]MountDeclaration, error)
ParseMountDeclarations parses a list of mount declarations
func (MountDeclaration) GetResourceType ¶
func (m MountDeclaration) GetResourceType() (string, error)
GetResourceType returns the resource type if the mount declaration is a resource URI For example, "volume://name" would return "volume"
func (MountDeclaration) IsResourceURI ¶
func (m MountDeclaration) IsResourceURI() bool
IsResourceURI checks if the mount declaration is a resource URI
func (MountDeclaration) IsValid ¶
func (m MountDeclaration) IsValid() bool
IsValid checks if the mount declaration is valid
func (MountDeclaration) Parse ¶
func (m MountDeclaration) Parse() (source, target string, err error)
Parse parses a mount declaration and returns the source and target paths It also cleans and validates the paths
type NetworkPermissions ¶
type NetworkPermissions struct {
// Outbound defines outbound network permissions
Outbound *OutboundNetworkPermissions `json:"outbound,omitempty" yaml:"outbound,omitempty"`
}
NetworkPermissions defines network permissions for a container
type OutboundNetworkPermissions ¶
type OutboundNetworkPermissions struct {
// InsecureAllowAll allows all outbound network connections
InsecureAllowAll bool `json:"insecure_allow_all,omitempty" yaml:"insecure_allow_all,omitempty"`
// AllowHost is a list of allowed hosts
AllowHost []string `json:"allow_host,omitempty" yaml:"allow_host,omitempty"`
// AllowPort is a list of allowed ports
AllowPort []int `json:"allow_port,omitempty" yaml:"allow_port,omitempty"`
}
OutboundNetworkPermissions defines outbound network permissions
type Profile ¶
type Profile struct {
// Name is the name of the profile
Name string `json:"name,omitempty" yaml:"name,omitempty"`
// Read is a list of mount declarations that the container can read from
// These can be in the following formats:
// - A single path: The same path will be mounted from host to container
// - host-path:container-path: Different paths for host and container
// - resource-uri:container-path: Mount a resource identified by URI to a container path
Read []MountDeclaration `json:"read,omitempty" yaml:"read,omitempty"`
// Write is a list of mount declarations that the container can write to
// These follow the same format as Read mounts but with write permissions
Write []MountDeclaration `json:"write,omitempty" yaml:"write,omitempty"`
// Network defines network permissions
Network *NetworkPermissions `json:"network,omitempty" yaml:"network,omitempty"`
// Privileged indicates whether the container should run in privileged mode
// When true, the container has access to all host devices and capabilities
// Use with extreme caution as this removes most security isolation
Privileged bool `json:"privileged,omitempty" yaml:"privileged,omitempty"`
}
Profile represents a permission profile for a container
func BuiltinNetworkProfile ¶
func BuiltinNetworkProfile() *Profile
BuiltinNetworkProfile returns the built-in network profile
func BuiltinNoneProfile ¶ added in v0.0.32
func BuiltinNoneProfile() *Profile
BuiltinNoneProfile returns the built-in profile with no permissions
Source Files