README

nsjail config proto

protobuf schema for nsjail (GitHub). This is used for providing hermetic build environment with arbitrary toolchain support.

How to update the file?

  1. git clone
$ git clone https://github.com/google/nsjail.git
  1. copy config.proto file.
$ cp nsjail/config.proto .
  1. Add option go_package = "go.chromium.org/goma/server/proto/nsjail";
Expand ▾ Collapse ▴

Documentation

Index

Constants

View Source
const (
	Default_IdMap_InsideId    = string("")
	Default_IdMap_OutsideId   = string("")
	Default_IdMap_Count       = uint32(1)
	Default_IdMap_UseNewidmap = bool(false)
)

    Default values for IdMap fields.

    View Source
    const (
    	Default_MountPt_Src          = string("")
    	Default_MountPt_PrefixSrcEnv = string("")
    	Default_MountPt_Dst          = string("")
    	Default_MountPt_PrefixDstEnv = string("")
    	Default_MountPt_Fstype       = string("")
    	Default_MountPt_Options      = string("")
    	Default_MountPt_IsBind       = bool(false)
    	Default_MountPt_Rw           = bool(false)
    	Default_MountPt_Mandatory    = bool(true)
    	Default_MountPt_IsSymlink    = bool(false)
    	Default_MountPt_Nosuid       = bool(false)
    	Default_MountPt_Nodev        = bool(false)
    	Default_MountPt_Noexec       = bool(false)
    )

      Default values for MountPt fields.

      View Source
      const (
      	Default_NsJailConfig_Name                    = string("")
      	Default_NsJailConfig_Mode                    = Mode_ONCE
      	Default_NsJailConfig_IsRootRw                = bool(false)
      	Default_NsJailConfig_Hostname                = string("NSJAIL")
      	Default_NsJailConfig_Cwd                     = string("/")
      	Default_NsJailConfig_Port                    = uint32(0)
      	Default_NsJailConfig_Bindhost                = string("::")
      	Default_NsJailConfig_MaxConnsPerIp           = uint32(0)
      	Default_NsJailConfig_TimeLimit               = uint32(600)
      	Default_NsJailConfig_Daemon                  = bool(false)
      	Default_NsJailConfig_MaxCpus                 = uint32(0)
      	Default_NsJailConfig_KeepEnv                 = bool(false)
      	Default_NsJailConfig_KeepCaps                = bool(false)
      	Default_NsJailConfig_Silent                  = bool(false)
      	Default_NsJailConfig_SkipSetsid              = bool(false)
      	Default_NsJailConfig_StderrToNull            = bool(false)
      	Default_NsJailConfig_DisableNoNewPrivs       = bool(false)
      	Default_NsJailConfig_RlimitAs                = uint64(512)
      	Default_NsJailConfig_RlimitAsType            = RLimit_VALUE
      	Default_NsJailConfig_RlimitCore              = uint64(0)
      	Default_NsJailConfig_RlimitCoreType          = RLimit_VALUE
      	Default_NsJailConfig_RlimitCpu               = uint64(600)
      	Default_NsJailConfig_RlimitCpuType           = RLimit_VALUE
      	Default_NsJailConfig_RlimitFsize             = uint64(1)
      	Default_NsJailConfig_RlimitFsizeType         = RLimit_VALUE
      	Default_NsJailConfig_RlimitNofile            = uint64(32)
      	Default_NsJailConfig_RlimitNofileType        = RLimit_VALUE
      	Default_NsJailConfig_RlimitNproc             = uint64(1024)
      	Default_NsJailConfig_RlimitNprocType         = RLimit_SOFT
      	Default_NsJailConfig_RlimitStack             = uint64(1048576)
      	Default_NsJailConfig_RlimitStackType         = RLimit_SOFT
      	Default_NsJailConfig_PersonaAddrCompatLayout = bool(false)
      	Default_NsJailConfig_PersonaMmapPageZero     = bool(false)
      	Default_NsJailConfig_PersonaReadImpliesExec  = bool(false)
      	Default_NsJailConfig_PersonaAddrLimit_3Gb    = bool(false)
      	Default_NsJailConfig_PersonaAddrNoRandomize  = bool(false)
      	Default_NsJailConfig_CloneNewnet             = bool(true)
      	Default_NsJailConfig_CloneNewuser            = bool(true)
      	Default_NsJailConfig_CloneNewns              = bool(true)
      	Default_NsJailConfig_CloneNewpid             = bool(true)
      	Default_NsJailConfig_CloneNewipc             = bool(true)
      	Default_NsJailConfig_CloneNewuts             = bool(true)
      	Default_NsJailConfig_CloneNewcgroup          = bool(true)
      	Default_NsJailConfig_MountProc               = bool(false)
      	Default_NsJailConfig_SeccompLog              = bool(false)
      	Default_NsJailConfig_CgroupMemMax            = uint64(0)
      	Default_NsJailConfig_CgroupMemMount          = string("/sys/fs/cgroup/memory")
      	Default_NsJailConfig_CgroupMemParent         = string("NSJAIL")
      	Default_NsJailConfig_CgroupPidsMax           = uint64(0)
      	Default_NsJailConfig_CgroupPidsMount         = string("/sys/fs/cgroup/pids")
      	Default_NsJailConfig_CgroupPidsParent        = string("NSJAIL")
      	Default_NsJailConfig_CgroupNetClsClassid     = uint32(0)
      	Default_NsJailConfig_CgroupNetClsMount       = string("/sys/fs/cgroup/net_cls")
      	Default_NsJailConfig_CgroupNetClsParent      = string("NSJAIL")
      	Default_NsJailConfig_CgroupCpuMsPerSec       = uint32(0)
      	Default_NsJailConfig_CgroupCpuMount          = string("/sys/fs/cgroup/cpu")
      	Default_NsJailConfig_CgroupCpuParent         = string("NSJAIL")
      	Default_NsJailConfig_IfaceNoLo               = bool(false)
      	Default_NsJailConfig_MacvlanVsIp             = string("192.168.0.2")
      	Default_NsJailConfig_MacvlanVsNm             = string("255.255.255.0")
      	Default_NsJailConfig_MacvlanVsGw             = string("192.168.0.1")
      	Default_NsJailConfig_MacvlanVsMa             = string("")
      )

        Default values for NsJailConfig fields.

        View Source
        const (
        	Default_Exe_ExecFd = bool(false)
        )

          Default values for Exe fields.

          Variables

          View Source
          var (
          	Mode_name = map[int32]string{
          		0: "LISTEN",
          		1: "ONCE",
          		2: "RERUN",
          		3: "EXECVE",
          	}
          	Mode_value = map[string]int32{
          		"LISTEN": 0,
          		"ONCE":   1,
          		"RERUN":  2,
          		"EXECVE": 3,
          	}
          )

            Enum value maps for Mode.

            View Source
            var (
            	LogLevel_name = map[int32]string{
            		0: "DEBUG",
            		1: "INFO",
            		2: "WARNING",
            		3: "ERROR",
            		4: "FATAL",
            	}
            	LogLevel_value = map[string]int32{
            		"DEBUG":   0,
            		"INFO":    1,
            		"WARNING": 2,
            		"ERROR":   3,
            		"FATAL":   4,
            	}
            )

              Enum value maps for LogLevel.

              View Source
              var (
              	RLimit_name = map[int32]string{
              		0: "VALUE",
              		1: "SOFT",
              		2: "HARD",
              		3: "INF",
              	}
              	RLimit_value = map[string]int32{
              		"VALUE": 0,
              		"SOFT":  1,
              		"HARD":  2,
              		"INF":   3,
              	}
              )

                Enum value maps for RLimit.

                View Source
                var (
                	Default_MountPt_SrcContent = []byte("")
                )

                  Default values for MountPt fields.

                  View Source
                  var File_nsjail_config_proto protoreflect.FileDescriptor

                  Functions

                  This section is empty.

                  Types

                  type Exe

                  type Exe struct {
                  
                  	// Will be used both as execv's path and as argv[0]
                  	Path *string `protobuf:"bytes,1,req,name=path" json:"path,omitempty"`
                  	// This will be argv[1] and so on..
                  	Arg []string `protobuf:"bytes,2,rep,name=arg" json:"arg,omitempty"`
                  	// Override argv[0]
                  	Arg0 *string `protobuf:"bytes,3,opt,name=arg0" json:"arg0,omitempty"`
                  	// Should execveat() be used to execute a file-descriptor instead?
                  	ExecFd *bool `protobuf:"varint,4,opt,name=exec_fd,json=execFd,def=0" json:"exec_fd,omitempty"`
                  	// contains filtered or unexported fields
                  }

                  func (*Exe) Descriptor

                  func (*Exe) Descriptor() ([]byte, []int)

                    Deprecated: Use Exe.ProtoReflect.Descriptor instead.

                    func (*Exe) GetArg

                    func (x *Exe) GetArg() []string

                    func (*Exe) GetArg0

                    func (x *Exe) GetArg0() string

                    func (*Exe) GetExecFd

                    func (x *Exe) GetExecFd() bool

                    func (*Exe) GetPath

                    func (x *Exe) GetPath() string

                    func (*Exe) ProtoMessage

                    func (*Exe) ProtoMessage()

                    func (*Exe) ProtoReflect

                    func (x *Exe) ProtoReflect() protoreflect.Message

                    func (*Exe) Reset

                    func (x *Exe) Reset()

                    func (*Exe) String

                    func (x *Exe) String() string

                    type IdMap

                    type IdMap struct {
                    
                    	// Empty string means "current uid/gid"
                    	InsideId  *string `protobuf:"bytes,1,opt,name=inside_id,json=insideId,def=" json:"inside_id,omitempty"`
                    	OutsideId *string `protobuf:"bytes,2,opt,name=outside_id,json=outsideId,def=" json:"outside_id,omitempty"`
                    	// See 'man user_namespaces' for the meaning of count
                    	Count *uint32 `protobuf:"varint,3,opt,name=count,def=1" json:"count,omitempty"`
                    	// Does this map use /usr/bin/new[u|g]idmap binary?
                    	UseNewidmap *bool `protobuf:"varint,4,opt,name=use_newidmap,json=useNewidmap,def=0" json:"use_newidmap,omitempty"`
                    	// contains filtered or unexported fields
                    }

                    func (*IdMap) Descriptor

                    func (*IdMap) Descriptor() ([]byte, []int)

                      Deprecated: Use IdMap.ProtoReflect.Descriptor instead.

                      func (*IdMap) GetCount

                      func (x *IdMap) GetCount() uint32

                      func (*IdMap) GetInsideId

                      func (x *IdMap) GetInsideId() string

                      func (*IdMap) GetOutsideId

                      func (x *IdMap) GetOutsideId() string

                      func (*IdMap) GetUseNewidmap

                      func (x *IdMap) GetUseNewidmap() bool

                      func (*IdMap) ProtoMessage

                      func (*IdMap) ProtoMessage()

                      func (*IdMap) ProtoReflect

                      func (x *IdMap) ProtoReflect() protoreflect.Message

                      func (*IdMap) Reset

                      func (x *IdMap) Reset()

                      func (*IdMap) String

                      func (x *IdMap) String() string

                      type LogLevel

                      type LogLevel int32

                        Should be self explanatory

                        const (
                        	LogLevel_DEBUG   LogLevel = 0 // Equivalent to the '-v' cmd-line option
                        	LogLevel_INFO    LogLevel = 1 // Default level
                        	LogLevel_WARNING LogLevel = 2 // Equivalent to the '-q' cmd-line option
                        	LogLevel_ERROR   LogLevel = 3
                        	LogLevel_FATAL   LogLevel = 4
                        )

                        func (LogLevel) Descriptor

                        func (LogLevel) Descriptor() protoreflect.EnumDescriptor

                        func (LogLevel) Enum

                        func (x LogLevel) Enum() *LogLevel

                        func (LogLevel) EnumDescriptor

                        func (LogLevel) EnumDescriptor() ([]byte, []int)

                          Deprecated: Use LogLevel.Descriptor instead.

                          func (LogLevel) Number

                          func (x LogLevel) Number() protoreflect.EnumNumber

                          func (LogLevel) String

                          func (x LogLevel) String() string

                          func (LogLevel) Type

                          func (*LogLevel) UnmarshalJSON

                          func (x *LogLevel) UnmarshalJSON(b []byte) error

                            Deprecated: Do not use.

                            type Mode

                            type Mode int32
                            const (
                            	Mode_LISTEN Mode = 0 // Listening on a TCP port
                            	Mode_ONCE   Mode = 1 // Running the command once only
                            	Mode_RERUN  Mode = 2 // Re-executing the command (forever)
                            	Mode_EXECVE Mode = 3 // Executing command w/o the supervisor
                            )

                            func (Mode) Descriptor

                            func (Mode) Descriptor() protoreflect.EnumDescriptor

                            func (Mode) Enum

                            func (x Mode) Enum() *Mode

                            func (Mode) EnumDescriptor

                            func (Mode) EnumDescriptor() ([]byte, []int)

                              Deprecated: Use Mode.Descriptor instead.

                              func (Mode) Number

                              func (x Mode) Number() protoreflect.EnumNumber

                              func (Mode) String

                              func (x Mode) String() string

                              func (Mode) Type

                              func (Mode) Type() protoreflect.EnumType

                              func (*Mode) UnmarshalJSON

                              func (x *Mode) UnmarshalJSON(b []byte) error

                                Deprecated: Do not use.

                                type MountPt

                                type MountPt struct {
                                
                                	// Can be skipped for filesystems like 'proc'
                                	Src *string `protobuf:"bytes,1,opt,name=src,def=" json:"src,omitempty"`
                                	// Should 'src' path be prefixed with this envvar?
                                	PrefixSrcEnv *string `protobuf:"bytes,2,opt,name=prefix_src_env,json=prefixSrcEnv,def=" json:"prefix_src_env,omitempty"`
                                	// If specified, contains buffer that will be written to the dst file
                                	SrcContent []byte `protobuf:"bytes,3,opt,name=src_content,json=srcContent,def=" json:"src_content,omitempty"`
                                	// Mount point inside jail
                                	Dst *string `protobuf:"bytes,4,req,name=dst,def=" json:"dst,omitempty"`
                                	// Should 'dst' path be prefixed with this envvar?
                                	PrefixDstEnv *string `protobuf:"bytes,5,opt,name=prefix_dst_env,json=prefixDstEnv,def=" json:"prefix_dst_env,omitempty"`
                                	// Can be empty for mount --bind mounts
                                	Fstype *string `protobuf:"bytes,6,opt,name=fstype,def=" json:"fstype,omitempty"`
                                	// E.g. size=5000000 for 'tmpfs'
                                	Options *string `protobuf:"bytes,7,opt,name=options,def=" json:"options,omitempty"`
                                	// Is it a 'mount --bind src dst' type of mount?
                                	IsBind *bool `protobuf:"varint,8,opt,name=is_bind,json=isBind,def=0" json:"is_bind,omitempty"`
                                	// Is it a R/W mount?
                                	Rw *bool `protobuf:"varint,9,opt,name=rw,def=0" json:"rw,omitempty"`
                                	// Is it a directory? If not specified an internal
                                	//heuristics will be used to determine that
                                	IsDir *bool `protobuf:"varint,10,opt,name=is_dir,json=isDir" json:"is_dir,omitempty"`
                                	// Should the sandboxing fail if we cannot mount this resource?
                                	Mandatory *bool `protobuf:"varint,11,opt,name=mandatory,def=1" json:"mandatory,omitempty"`
                                	// Is it a symlink (instead of real mount point)?
                                	IsSymlink *bool `protobuf:"varint,12,opt,name=is_symlink,json=isSymlink,def=0" json:"is_symlink,omitempty"`
                                	// Is it a nosuid mount
                                	Nosuid *bool `protobuf:"varint,13,opt,name=nosuid,def=0" json:"nosuid,omitempty"`
                                	// Is it a nodev mount
                                	Nodev *bool `protobuf:"varint,14,opt,name=nodev,def=0" json:"nodev,omitempty"`
                                	// Is it a noexec mount
                                	Noexec *bool `protobuf:"varint,15,opt,name=noexec,def=0" json:"noexec,omitempty"`
                                	// contains filtered or unexported fields
                                }

                                func (*MountPt) Descriptor

                                func (*MountPt) Descriptor() ([]byte, []int)

                                  Deprecated: Use MountPt.ProtoReflect.Descriptor instead.

                                  func (*MountPt) GetDst

                                  func (x *MountPt) GetDst() string

                                  func (*MountPt) GetFstype

                                  func (x *MountPt) GetFstype() string

                                  func (*MountPt) GetIsBind

                                  func (x *MountPt) GetIsBind() bool

                                  func (*MountPt) GetIsDir

                                  func (x *MountPt) GetIsDir() bool
                                  func (x *MountPt) GetIsSymlink() bool

                                  func (*MountPt) GetMandatory

                                  func (x *MountPt) GetMandatory() bool

                                  func (*MountPt) GetNodev

                                  func (x *MountPt) GetNodev() bool

                                  func (*MountPt) GetNoexec

                                  func (x *MountPt) GetNoexec() bool

                                  func (*MountPt) GetNosuid

                                  func (x *MountPt) GetNosuid() bool

                                  func (*MountPt) GetOptions

                                  func (x *MountPt) GetOptions() string

                                  func (*MountPt) GetPrefixDstEnv

                                  func (x *MountPt) GetPrefixDstEnv() string

                                  func (*MountPt) GetPrefixSrcEnv

                                  func (x *MountPt) GetPrefixSrcEnv() string

                                  func (*MountPt) GetRw

                                  func (x *MountPt) GetRw() bool

                                  func (*MountPt) GetSrc

                                  func (x *MountPt) GetSrc() string

                                  func (*MountPt) GetSrcContent

                                  func (x *MountPt) GetSrcContent() []byte

                                  func (*MountPt) ProtoMessage

                                  func (*MountPt) ProtoMessage()

                                  func (*MountPt) ProtoReflect

                                  func (x *MountPt) ProtoReflect() protoreflect.Message

                                  func (*MountPt) Reset

                                  func (x *MountPt) Reset()

                                  func (*MountPt) String

                                  func (x *MountPt) String() string

                                  type NsJailConfig

                                  type NsJailConfig struct {
                                  
                                  	// Optional name and description for this config
                                  	Name        *string  `protobuf:"bytes,1,opt,name=name,def=" json:"name,omitempty"`
                                  	Description []string `protobuf:"bytes,2,rep,name=description" json:"description,omitempty"`
                                  	// Execution mode: see 'msg Mode' description for more
                                  	Mode *Mode `protobuf:"varint,3,opt,name=mode,enum=nsjail.Mode,def=1" json:"mode,omitempty"`
                                  	// Equivalent to a bind mount with dst='/'. DEPRECATED: Use bind mounts.
                                  	// Deprecated: Do not use.
                                  	ChrootDir *string `protobuf:"bytes,4,opt,name=chroot_dir,json=chrootDir" json:"chroot_dir,omitempty"`
                                  	// Applies both to the chroot_dir and to /proc mounts. DEPRECATED: Use bind mounts
                                  	// Deprecated: Do not use.
                                  	IsRootRw *bool `protobuf:"varint,5,opt,name=is_root_rw,json=isRootRw,def=0" json:"is_root_rw,omitempty"`
                                  	// Hostname inside jail
                                  	Hostname *string `protobuf:"bytes,8,opt,name=hostname,def=NSJAIL" json:"hostname,omitempty"`
                                  	// Initial current working directory for the binary
                                  	Cwd *string `protobuf:"bytes,9,opt,name=cwd,def=/" json:"cwd,omitempty"`
                                  	// TCP port to listen to. Valid with mode=LISTEN only
                                  	Port *uint32 `protobuf:"varint,10,opt,name=port,def=0" json:"port,omitempty"`
                                  	// Host to bind to for mode=LISTEN. Must be in IPv6 format
                                  	Bindhost *string `protobuf:"bytes,11,opt,name=bindhost,def=::" json:"bindhost,omitempty"`
                                  	// For mode=LISTEN, maximum number of connections from a single IP
                                  	MaxConnsPerIp *uint32 `protobuf:"varint,12,opt,name=max_conns_per_ip,json=maxConnsPerIp,def=0" json:"max_conns_per_ip,omitempty"`
                                  	// Wall-time time limit for commands
                                  	TimeLimit *uint32 `protobuf:"varint,13,opt,name=time_limit,json=timeLimit,def=600" json:"time_limit,omitempty"`
                                  	// Should nsjail go into background?
                                  	Daemon *bool `protobuf:"varint,14,opt,name=daemon,def=0" json:"daemon,omitempty"`
                                  	// Maximum number of CPUs to use: 0 - no limit
                                  	MaxCpus *uint32 `protobuf:"varint,15,opt,name=max_cpus,json=maxCpus,def=0" json:"max_cpus,omitempty"`
                                  	// FD to log to.
                                  	LogFd *int32 `protobuf:"varint,16,opt,name=log_fd,json=logFd" json:"log_fd,omitempty"`
                                  	// File to save lofs to
                                  	LogFile *string `protobuf:"bytes,17,opt,name=log_file,json=logFile" json:"log_file,omitempty"`
                                  	// Minimum log level displayed.
                                  	//See 'msg LogLevel' description for more
                                  	LogLevel *LogLevel `protobuf:"varint,18,opt,name=log_level,json=logLevel,enum=nsjail.LogLevel" json:"log_level,omitempty"`
                                  	// Should the current environment variables be kept
                                  	//when executing the binary
                                  	KeepEnv *bool `protobuf:"varint,19,opt,name=keep_env,json=keepEnv,def=0" json:"keep_env,omitempty"`
                                  	// EnvVars to be set before executing binaries. If the envvar doesn't contain '='
                                  	//(e.g. just the 'DISPLAY' string), the current envvar value will be used
                                  	Envar []string `protobuf:"bytes,20,rep,name=envar" json:"envar,omitempty"`
                                  	// Should capabilities be preserved or dropped
                                  	KeepCaps *bool `protobuf:"varint,21,opt,name=keep_caps,json=keepCaps,def=0" json:"keep_caps,omitempty"`
                                  	// Which capabilities should be preserved if keep_caps == false.
                                  	//Format: "CAP_SYS_PTRACE"
                                  	Cap []string `protobuf:"bytes,22,rep,name=cap" json:"cap,omitempty"`
                                  	// Should nsjail close FD=0,1,2 before executing the process
                                  	Silent *bool `protobuf:"varint,23,opt,name=silent,def=0" json:"silent,omitempty"`
                                  	// Should the child process have control over terminal?
                                  	//Can be useful to allow /bin/sh to provide
                                  	//job control / signals. Dangerous, can be used to put
                                  	//characters into the controlling terminal back
                                  	SkipSetsid *bool `protobuf:"varint,24,opt,name=skip_setsid,json=skipSetsid,def=0" json:"skip_setsid,omitempty"`
                                  	// Redirect sdterr of the process to /dev/null instead of the socket or original TTY
                                  	StderrToNull *bool `protobuf:"varint,25,opt,name=stderr_to_null,json=stderrToNull,def=0" json:"stderr_to_null,omitempty"`
                                  	// Which FDs should be passed to the newly executed process
                                  	//By default only FD=0,1,2 are passed
                                  	PassFd []int32 `protobuf:"varint,26,rep,name=pass_fd,json=passFd" json:"pass_fd,omitempty"`
                                  	// Setting it to true will allow to have set-uid binaries
                                  	//inside the jail
                                  	DisableNoNewPrivs *bool `protobuf:"varint,27,opt,name=disable_no_new_privs,json=disableNoNewPrivs,def=0" json:"disable_no_new_privs,omitempty"`
                                  	// Various rlimits, the rlimit_as/rlimit_core/... are used only if
                                  	//rlimit_as_type/rlimit_core_type/... are set to RLimit::VALUE
                                  	RlimitAs         *uint64 `protobuf:"varint,28,opt,name=rlimit_as,json=rlimitAs,def=512" json:"rlimit_as,omitempty"` // In MiB
                                  	RlimitAsType     *RLimit `protobuf:"varint,29,opt,name=rlimit_as_type,json=rlimitAsType,enum=nsjail.RLimit,def=0" json:"rlimit_as_type,omitempty"`
                                  	RlimitCore       *uint64 `protobuf:"varint,30,opt,name=rlimit_core,json=rlimitCore,def=0" json:"rlimit_core,omitempty"` // In MiB
                                  	RlimitCoreType   *RLimit `protobuf:"varint,31,opt,name=rlimit_core_type,json=rlimitCoreType,enum=nsjail.RLimit,def=0" json:"rlimit_core_type,omitempty"`
                                  	RlimitCpu        *uint64 `protobuf:"varint,32,opt,name=rlimit_cpu,json=rlimitCpu,def=600" json:"rlimit_cpu,omitempty"` // In seconds
                                  	RlimitCpuType    *RLimit `protobuf:"varint,33,opt,name=rlimit_cpu_type,json=rlimitCpuType,enum=nsjail.RLimit,def=0" json:"rlimit_cpu_type,omitempty"`
                                  	RlimitFsize      *uint64 `protobuf:"varint,34,opt,name=rlimit_fsize,json=rlimitFsize,def=1" json:"rlimit_fsize,omitempty"` // In MiB
                                  	RlimitFsizeType  *RLimit ``                                                                                                /* 128-byte string literal not displayed */
                                  	RlimitNofile     *uint64 `protobuf:"varint,36,opt,name=rlimit_nofile,json=rlimitNofile,def=32" json:"rlimit_nofile,omitempty"`
                                  	RlimitNofileType *RLimit `` /* 131-byte string literal not displayed */
                                  	// RLIMIT_NPROC is system-wide - tricky to use; use the soft limit value by
                                  	// default here
                                  	RlimitNproc     *uint64 `protobuf:"varint,38,opt,name=rlimit_nproc,json=rlimitNproc,def=1024" json:"rlimit_nproc,omitempty"`
                                  	RlimitNprocType *RLimit `` /* 128-byte string literal not displayed */
                                  	// In MiB, use the soft limit value by default
                                  	RlimitStack     *uint64 `protobuf:"varint,40,opt,name=rlimit_stack,json=rlimitStack,def=1048576" json:"rlimit_stack,omitempty"`
                                  	RlimitStackType *RLimit `` /* 128-byte string literal not displayed */
                                  	// See 'man personality' for more
                                  	PersonaAddrCompatLayout *bool `` /* 135-byte string literal not displayed */
                                  	PersonaMmapPageZero     *bool `protobuf:"varint,43,opt,name=persona_mmap_page_zero,json=personaMmapPageZero,def=0" json:"persona_mmap_page_zero,omitempty"`
                                  	PersonaReadImpliesExec  *bool `` /* 132-byte string literal not displayed */
                                  	PersonaAddrLimit_3Gb    *bool `protobuf:"varint,45,opt,name=persona_addr_limit_3gb,json=personaAddrLimit3gb,def=0" json:"persona_addr_limit_3gb,omitempty"`
                                  	PersonaAddrNoRandomize  *bool `` /* 132-byte string literal not displayed */
                                  	// Which name-spaces should be used?
                                  	CloneNewnet  *bool `protobuf:"varint,47,opt,name=clone_newnet,json=cloneNewnet,def=1" json:"clone_newnet,omitempty"`
                                  	CloneNewuser *bool `protobuf:"varint,48,opt,name=clone_newuser,json=cloneNewuser,def=1" json:"clone_newuser,omitempty"`
                                  	CloneNewns   *bool `protobuf:"varint,49,opt,name=clone_newns,json=cloneNewns,def=1" json:"clone_newns,omitempty"`
                                  	CloneNewpid  *bool `protobuf:"varint,50,opt,name=clone_newpid,json=cloneNewpid,def=1" json:"clone_newpid,omitempty"`
                                  	CloneNewipc  *bool `protobuf:"varint,51,opt,name=clone_newipc,json=cloneNewipc,def=1" json:"clone_newipc,omitempty"`
                                  	CloneNewuts  *bool `protobuf:"varint,52,opt,name=clone_newuts,json=cloneNewuts,def=1" json:"clone_newuts,omitempty"`
                                  	// Disable for kernel versions < 4.6 as it's not supported there
                                  	CloneNewcgroup *bool `protobuf:"varint,53,opt,name=clone_newcgroup,json=cloneNewcgroup,def=1" json:"clone_newcgroup,omitempty"`
                                  	// Mappings for UIDs and GIDs. See the description for 'msg IdMap'
                                  	//for more
                                  	Uidmap []*IdMap `protobuf:"bytes,54,rep,name=uidmap" json:"uidmap,omitempty"`
                                  	Gidmap []*IdMap `protobuf:"bytes,55,rep,name=gidmap" json:"gidmap,omitempty"`
                                  	// Should /proc be mounted (R/O)? This can also be added in the 'mount'
                                  	//section below
                                  	MountProc *bool `protobuf:"varint,56,opt,name=mount_proc,json=mountProc,def=0" json:"mount_proc,omitempty"`
                                  	// Mount points inside the jail. See the description for 'msg MountPt'
                                  	//for more
                                  	Mount []*MountPt `protobuf:"bytes,57,rep,name=mount" json:"mount,omitempty"`
                                  	// Kafel seccomp-bpf policy file or a string:
                                  	//Homepage of the project: https://github.com/google/kafel
                                  	SeccompPolicyFile *string  `protobuf:"bytes,58,opt,name=seccomp_policy_file,json=seccompPolicyFile" json:"seccomp_policy_file,omitempty"`
                                  	SeccompString     []string `protobuf:"bytes,59,rep,name=seccomp_string,json=seccompString" json:"seccomp_string,omitempty"`
                                  	// Setting it to true makes audit write seccomp logs to dmesg
                                  	SeccompLog *bool `protobuf:"varint,60,opt,name=seccomp_log,json=seccompLog,def=0" json:"seccomp_log,omitempty"`
                                  	// If > 0, maximum cumulative size of RAM used inside any jail
                                  	CgroupMemMax *uint64 `protobuf:"varint,61,opt,name=cgroup_mem_max,json=cgroupMemMax,def=0" json:"cgroup_mem_max,omitempty"` // In MiB
                                  	// Mount point for cgroups-memory in your system
                                  	CgroupMemMount *string `protobuf:"bytes,62,opt,name=cgroup_mem_mount,json=cgroupMemMount,def=/sys/fs/cgroup/memory" json:"cgroup_mem_mount,omitempty"`
                                  	// Writeable directory (for the nsjail user) under cgroup_mem_mount
                                  	CgroupMemParent *string `protobuf:"bytes,63,opt,name=cgroup_mem_parent,json=cgroupMemParent,def=NSJAIL" json:"cgroup_mem_parent,omitempty"`
                                  	// If > 0, maximum number of PIDs (threads/processes) inside jail
                                  	CgroupPidsMax *uint64 `protobuf:"varint,64,opt,name=cgroup_pids_max,json=cgroupPidsMax,def=0" json:"cgroup_pids_max,omitempty"`
                                  	// Mount point for cgroups-pids in your system
                                  	CgroupPidsMount *string `` /* 126-byte string literal not displayed */
                                  	// Writeable directory (for the nsjail user) under cgroup_pids_mount
                                  	CgroupPidsParent *string `protobuf:"bytes,66,opt,name=cgroup_pids_parent,json=cgroupPidsParent,def=NSJAIL" json:"cgroup_pids_parent,omitempty"`
                                  	// If > 0, Class identifier of network packets inside jail
                                  	CgroupNetClsClassid *uint32 `protobuf:"varint,67,opt,name=cgroup_net_cls_classid,json=cgroupNetClsClassid,def=0" json:"cgroup_net_cls_classid,omitempty"`
                                  	// Mount point for cgroups-net-cls in your system
                                  	CgroupNetClsMount *string `` /* 137-byte string literal not displayed */
                                  	// Writeable directory (for the nsjail user) under cgroup_net_mount
                                  	CgroupNetClsParent *string `protobuf:"bytes,69,opt,name=cgroup_net_cls_parent,json=cgroupNetClsParent,def=NSJAIL" json:"cgroup_net_cls_parent,omitempty"`
                                  	// If > 0 number of milliseconds of CPU that jail processes can use per each second
                                  	CgroupCpuMsPerSec *uint32 `protobuf:"varint,70,opt,name=cgroup_cpu_ms_per_sec,json=cgroupCpuMsPerSec,def=0" json:"cgroup_cpu_ms_per_sec,omitempty"`
                                  	// Mount point for cgroups-cpu in your system
                                  	CgroupCpuMount *string `protobuf:"bytes,71,opt,name=cgroup_cpu_mount,json=cgroupCpuMount,def=/sys/fs/cgroup/cpu" json:"cgroup_cpu_mount,omitempty"`
                                  	// Writeable directory (for the nsjail user) under cgroup_cpu_mount
                                  	CgroupCpuParent *string `protobuf:"bytes,72,opt,name=cgroup_cpu_parent,json=cgroupCpuParent,def=NSJAIL" json:"cgroup_cpu_parent,omitempty"`
                                  	// Should the 'lo' interface be brought up (active) inside this jail?
                                  	IfaceNoLo *bool `protobuf:"varint,73,opt,name=iface_no_lo,json=ifaceNoLo,def=0" json:"iface_no_lo,omitempty"`
                                  	// Put this interface inside the jail
                                  	IfaceOwn []string `protobuf:"bytes,74,rep,name=iface_own,json=ifaceOwn" json:"iface_own,omitempty"`
                                  	// Parameters for the cloned MACVLAN interface inside jail
                                  	MacvlanIface *string `protobuf:"bytes,75,opt,name=macvlan_iface,json=macvlanIface" json:"macvlan_iface,omitempty"` // Interface to be cloned, eg 'eth0'
                                  	MacvlanVsIp  *string `protobuf:"bytes,76,opt,name=macvlan_vs_ip,json=macvlanVsIp,def=192.168.0.2" json:"macvlan_vs_ip,omitempty"`
                                  	MacvlanVsNm  *string `protobuf:"bytes,77,opt,name=macvlan_vs_nm,json=macvlanVsNm,def=255.255.255.0" json:"macvlan_vs_nm,omitempty"`
                                  	MacvlanVsGw  *string `protobuf:"bytes,78,opt,name=macvlan_vs_gw,json=macvlanVsGw,def=192.168.0.1" json:"macvlan_vs_gw,omitempty"`
                                  	MacvlanVsMa  *string `protobuf:"bytes,79,opt,name=macvlan_vs_ma,json=macvlanVsMa,def=" json:"macvlan_vs_ma,omitempty"`
                                  	// Binary path (with arguments) to be executed. If not specified here, it
                                  	//can be specified with cmd-line as "-- /path/to/command arg1 arg2"
                                  	ExecBin *Exe `protobuf:"bytes,80,opt,name=exec_bin,json=execBin" json:"exec_bin,omitempty"`
                                  	// contains filtered or unexported fields
                                  }

                                  func (*NsJailConfig) Descriptor

                                  func (*NsJailConfig) Descriptor() ([]byte, []int)

                                    Deprecated: Use NsJailConfig.ProtoReflect.Descriptor instead.

                                    func (*NsJailConfig) GetBindhost

                                    func (x *NsJailConfig) GetBindhost() string

                                    func (*NsJailConfig) GetCap

                                    func (x *NsJailConfig) GetCap() []string

                                    func (*NsJailConfig) GetCgroupCpuMount

                                    func (x *NsJailConfig) GetCgroupCpuMount() string

                                    func (*NsJailConfig) GetCgroupCpuMsPerSec

                                    func (x *NsJailConfig) GetCgroupCpuMsPerSec() uint32

                                    func (*NsJailConfig) GetCgroupCpuParent

                                    func (x *NsJailConfig) GetCgroupCpuParent() string

                                    func (*NsJailConfig) GetCgroupMemMax

                                    func (x *NsJailConfig) GetCgroupMemMax() uint64

                                    func (*NsJailConfig) GetCgroupMemMount

                                    func (x *NsJailConfig) GetCgroupMemMount() string

                                    func (*NsJailConfig) GetCgroupMemParent

                                    func (x *NsJailConfig) GetCgroupMemParent() string

                                    func (*NsJailConfig) GetCgroupNetClsClassid

                                    func (x *NsJailConfig) GetCgroupNetClsClassid() uint32

                                    func (*NsJailConfig) GetCgroupNetClsMount

                                    func (x *NsJailConfig) GetCgroupNetClsMount() string

                                    func (*NsJailConfig) GetCgroupNetClsParent

                                    func (x *NsJailConfig) GetCgroupNetClsParent() string

                                    func (*NsJailConfig) GetCgroupPidsMax

                                    func (x *NsJailConfig) GetCgroupPidsMax() uint64

                                    func (*NsJailConfig) GetCgroupPidsMount

                                    func (x *NsJailConfig) GetCgroupPidsMount() string

                                    func (*NsJailConfig) GetCgroupPidsParent

                                    func (x *NsJailConfig) GetCgroupPidsParent() string

                                    func (*NsJailConfig) GetChrootDir

                                    func (x *NsJailConfig) GetChrootDir() string

                                      Deprecated: Do not use.

                                      func (*NsJailConfig) GetCloneNewcgroup

                                      func (x *NsJailConfig) GetCloneNewcgroup() bool

                                      func (*NsJailConfig) GetCloneNewipc

                                      func (x *NsJailConfig) GetCloneNewipc() bool

                                      func (*NsJailConfig) GetCloneNewnet

                                      func (x *NsJailConfig) GetCloneNewnet() bool

                                      func (*NsJailConfig) GetCloneNewns

                                      func (x *NsJailConfig) GetCloneNewns() bool

                                      func (*NsJailConfig) GetCloneNewpid

                                      func (x *NsJailConfig) GetCloneNewpid() bool

                                      func (*NsJailConfig) GetCloneNewuser

                                      func (x *NsJailConfig) GetCloneNewuser() bool

                                      func (*NsJailConfig) GetCloneNewuts

                                      func (x *NsJailConfig) GetCloneNewuts() bool

                                      func (*NsJailConfig) GetCwd

                                      func (x *NsJailConfig) GetCwd() string

                                      func (*NsJailConfig) GetDaemon

                                      func (x *NsJailConfig) GetDaemon() bool

                                      func (*NsJailConfig) GetDescription

                                      func (x *NsJailConfig) GetDescription() []string

                                      func (*NsJailConfig) GetDisableNoNewPrivs

                                      func (x *NsJailConfig) GetDisableNoNewPrivs() bool

                                      func (*NsJailConfig) GetEnvar

                                      func (x *NsJailConfig) GetEnvar() []string

                                      func (*NsJailConfig) GetExecBin

                                      func (x *NsJailConfig) GetExecBin() *Exe

                                      func (*NsJailConfig) GetGidmap

                                      func (x *NsJailConfig) GetGidmap() []*IdMap

                                      func (*NsJailConfig) GetHostname

                                      func (x *NsJailConfig) GetHostname() string

                                      func (*NsJailConfig) GetIfaceNoLo

                                      func (x *NsJailConfig) GetIfaceNoLo() bool

                                      func (*NsJailConfig) GetIfaceOwn

                                      func (x *NsJailConfig) GetIfaceOwn() []string

                                      func (*NsJailConfig) GetIsRootRw

                                      func (x *NsJailConfig) GetIsRootRw() bool

                                        Deprecated: Do not use.

                                        func (*NsJailConfig) GetKeepCaps

                                        func (x *NsJailConfig) GetKeepCaps() bool

                                        func (*NsJailConfig) GetKeepEnv

                                        func (x *NsJailConfig) GetKeepEnv() bool

                                        func (*NsJailConfig) GetLogFd

                                        func (x *NsJailConfig) GetLogFd() int32

                                        func (*NsJailConfig) GetLogFile

                                        func (x *NsJailConfig) GetLogFile() string

                                        func (*NsJailConfig) GetLogLevel

                                        func (x *NsJailConfig) GetLogLevel() LogLevel

                                        func (*NsJailConfig) GetMacvlanIface

                                        func (x *NsJailConfig) GetMacvlanIface() string

                                        func (*NsJailConfig) GetMacvlanVsGw

                                        func (x *NsJailConfig) GetMacvlanVsGw() string

                                        func (*NsJailConfig) GetMacvlanVsIp

                                        func (x *NsJailConfig) GetMacvlanVsIp() string

                                        func (*NsJailConfig) GetMacvlanVsMa

                                        func (x *NsJailConfig) GetMacvlanVsMa() string

                                        func (*NsJailConfig) GetMacvlanVsNm

                                        func (x *NsJailConfig) GetMacvlanVsNm() string

                                        func (*NsJailConfig) GetMaxConnsPerIp

                                        func (x *NsJailConfig) GetMaxConnsPerIp() uint32

                                        func (*NsJailConfig) GetMaxCpus

                                        func (x *NsJailConfig) GetMaxCpus() uint32

                                        func (*NsJailConfig) GetMode

                                        func (x *NsJailConfig) GetMode() Mode

                                        func (*NsJailConfig) GetMount

                                        func (x *NsJailConfig) GetMount() []*MountPt

                                        func (*NsJailConfig) GetMountProc

                                        func (x *NsJailConfig) GetMountProc() bool

                                        func (*NsJailConfig) GetName

                                        func (x *NsJailConfig) GetName() string

                                        func (*NsJailConfig) GetPassFd

                                        func (x *NsJailConfig) GetPassFd() []int32

                                        func (*NsJailConfig) GetPersonaAddrCompatLayout

                                        func (x *NsJailConfig) GetPersonaAddrCompatLayout() bool

                                        func (*NsJailConfig) GetPersonaAddrLimit_3Gb

                                        func (x *NsJailConfig) GetPersonaAddrLimit_3Gb() bool

                                        func (*NsJailConfig) GetPersonaAddrNoRandomize

                                        func (x *NsJailConfig) GetPersonaAddrNoRandomize() bool

                                        func (*NsJailConfig) GetPersonaMmapPageZero

                                        func (x *NsJailConfig) GetPersonaMmapPageZero() bool

                                        func (*NsJailConfig) GetPersonaReadImpliesExec

                                        func (x *NsJailConfig) GetPersonaReadImpliesExec() bool

                                        func (*NsJailConfig) GetPort

                                        func (x *NsJailConfig) GetPort() uint32

                                        func (*NsJailConfig) GetRlimitAs

                                        func (x *NsJailConfig) GetRlimitAs() uint64

                                        func (*NsJailConfig) GetRlimitAsType

                                        func (x *NsJailConfig) GetRlimitAsType() RLimit

                                        func (*NsJailConfig) GetRlimitCore

                                        func (x *NsJailConfig) GetRlimitCore() uint64

                                        func (*NsJailConfig) GetRlimitCoreType

                                        func (x *NsJailConfig) GetRlimitCoreType() RLimit

                                        func (*NsJailConfig) GetRlimitCpu

                                        func (x *NsJailConfig) GetRlimitCpu() uint64

                                        func (*NsJailConfig) GetRlimitCpuType

                                        func (x *NsJailConfig) GetRlimitCpuType() RLimit

                                        func (*NsJailConfig) GetRlimitFsize

                                        func (x *NsJailConfig) GetRlimitFsize() uint64

                                        func (*NsJailConfig) GetRlimitFsizeType

                                        func (x *NsJailConfig) GetRlimitFsizeType() RLimit

                                        func (*NsJailConfig) GetRlimitNofile

                                        func (x *NsJailConfig) GetRlimitNofile() uint64

                                        func (*NsJailConfig) GetRlimitNofileType

                                        func (x *NsJailConfig) GetRlimitNofileType() RLimit

                                        func (*NsJailConfig) GetRlimitNproc

                                        func (x *NsJailConfig) GetRlimitNproc() uint64

                                        func (*NsJailConfig) GetRlimitNprocType

                                        func (x *NsJailConfig) GetRlimitNprocType() RLimit

                                        func (*NsJailConfig) GetRlimitStack

                                        func (x *NsJailConfig) GetRlimitStack() uint64

                                        func (*NsJailConfig) GetRlimitStackType

                                        func (x *NsJailConfig) GetRlimitStackType() RLimit

                                        func (*NsJailConfig) GetSeccompLog

                                        func (x *NsJailConfig) GetSeccompLog() bool

                                        func (*NsJailConfig) GetSeccompPolicyFile

                                        func (x *NsJailConfig) GetSeccompPolicyFile() string

                                        func (*NsJailConfig) GetSeccompString

                                        func (x *NsJailConfig) GetSeccompString() []string

                                        func (*NsJailConfig) GetSilent

                                        func (x *NsJailConfig) GetSilent() bool

                                        func (*NsJailConfig) GetSkipSetsid

                                        func (x *NsJailConfig) GetSkipSetsid() bool

                                        func (*NsJailConfig) GetStderrToNull

                                        func (x *NsJailConfig) GetStderrToNull() bool

                                        func (*NsJailConfig) GetTimeLimit

                                        func (x *NsJailConfig) GetTimeLimit() uint32

                                        func (*NsJailConfig) GetUidmap

                                        func (x *NsJailConfig) GetUidmap() []*IdMap

                                        func (*NsJailConfig) ProtoMessage

                                        func (*NsJailConfig) ProtoMessage()

                                        func (*NsJailConfig) ProtoReflect

                                        func (x *NsJailConfig) ProtoReflect() protoreflect.Message

                                        func (*NsJailConfig) Reset

                                        func (x *NsJailConfig) Reset()

                                        func (*NsJailConfig) String

                                        func (x *NsJailConfig) String() string

                                        type RLimit

                                        type RLimit int32
                                        const (
                                        	RLimit_VALUE RLimit = 0 // Use the provided value
                                        	RLimit_SOFT  RLimit = 1 // Use the current soft rlimit
                                        	RLimit_HARD  RLimit = 2 // Use the current hard rlimit
                                        	RLimit_INF   RLimit = 3 // Use RLIM64_INFINITY
                                        )

                                        func (RLimit) Descriptor

                                        func (RLimit) Descriptor() protoreflect.EnumDescriptor

                                        func (RLimit) Enum

                                        func (x RLimit) Enum() *RLimit

                                        func (RLimit) EnumDescriptor

                                        func (RLimit) EnumDescriptor() ([]byte, []int)

                                          Deprecated: Use RLimit.Descriptor instead.

                                          func (RLimit) Number

                                          func (x RLimit) Number() protoreflect.EnumNumber

                                          func (RLimit) String

                                          func (x RLimit) String() string

                                          func (RLimit) Type

                                          func (RLimit) Type() protoreflect.EnumType

                                          func (*RLimit) UnmarshalJSON

                                          func (x *RLimit) UnmarshalJSON(b []byte) error

                                            Deprecated: Do not use.

                                            Source Files