nsjail

package
Version: v0.0.21 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 2, 2021 License: BSD-3-Clause Imports: 4 Imported by: 0

README

nsjail config proto

protobuf schema for nsjail (GitHub). This is used for providing hermetic build environment with arbitrary toolchain support.

How to update the file?

  1. git clone
$ git clone https://github.com/google/nsjail.git
  1. copy config.proto file.
$ cp nsjail/config.proto .
  1. Add option go_package = "go.chromium.org/goma/server/proto/nsjail";

Documentation

Index

Constants

View Source
const (
	Default_IdMap_InsideId    = string("")
	Default_IdMap_OutsideId   = string("")
	Default_IdMap_Count       = uint32(1)
	Default_IdMap_UseNewidmap = bool(false)
)

Default values for IdMap fields.

View Source
const (
	Default_MountPt_Src          = string("")
	Default_MountPt_PrefixSrcEnv = string("")
	Default_MountPt_Dst          = string("")
	Default_MountPt_PrefixDstEnv = string("")
	Default_MountPt_Fstype       = string("")
	Default_MountPt_Options      = string("")
	Default_MountPt_IsBind       = bool(false)
	Default_MountPt_Rw           = bool(false)
	Default_MountPt_Mandatory    = bool(true)
	Default_MountPt_IsSymlink    = bool(false)
	Default_MountPt_Nosuid       = bool(false)
	Default_MountPt_Nodev        = bool(false)
	Default_MountPt_Noexec       = bool(false)
)

Default values for MountPt fields.

View Source
const (
	Default_NsJailConfig_Name                    = string("")
	Default_NsJailConfig_Mode                    = Mode_ONCE
	Default_NsJailConfig_IsRootRw                = bool(false)
	Default_NsJailConfig_Hostname                = string("NSJAIL")
	Default_NsJailConfig_Cwd                     = string("/")
	Default_NsJailConfig_Port                    = uint32(0)
	Default_NsJailConfig_Bindhost                = string("::")
	Default_NsJailConfig_MaxConnsPerIp           = uint32(0)
	Default_NsJailConfig_TimeLimit               = uint32(600)
	Default_NsJailConfig_Daemon                  = bool(false)
	Default_NsJailConfig_MaxCpus                 = uint32(0)
	Default_NsJailConfig_KeepEnv                 = bool(false)
	Default_NsJailConfig_KeepCaps                = bool(false)
	Default_NsJailConfig_Silent                  = bool(false)
	Default_NsJailConfig_SkipSetsid              = bool(false)
	Default_NsJailConfig_StderrToNull            = bool(false)
	Default_NsJailConfig_DisableNoNewPrivs       = bool(false)
	Default_NsJailConfig_RlimitAs                = uint64(512)
	Default_NsJailConfig_RlimitAsType            = RLimit_VALUE
	Default_NsJailConfig_RlimitCore              = uint64(0)
	Default_NsJailConfig_RlimitCoreType          = RLimit_VALUE
	Default_NsJailConfig_RlimitCpu               = uint64(600)
	Default_NsJailConfig_RlimitCpuType           = RLimit_VALUE
	Default_NsJailConfig_RlimitFsize             = uint64(1)
	Default_NsJailConfig_RlimitFsizeType         = RLimit_VALUE
	Default_NsJailConfig_RlimitNofile            = uint64(32)
	Default_NsJailConfig_RlimitNofileType        = RLimit_VALUE
	Default_NsJailConfig_RlimitNproc             = uint64(1024)
	Default_NsJailConfig_RlimitNprocType         = RLimit_SOFT
	Default_NsJailConfig_RlimitStack             = uint64(1048576)
	Default_NsJailConfig_RlimitStackType         = RLimit_SOFT
	Default_NsJailConfig_PersonaAddrCompatLayout = bool(false)
	Default_NsJailConfig_PersonaMmapPageZero     = bool(false)
	Default_NsJailConfig_PersonaReadImpliesExec  = bool(false)
	Default_NsJailConfig_PersonaAddrLimit_3Gb    = bool(false)
	Default_NsJailConfig_PersonaAddrNoRandomize  = bool(false)
	Default_NsJailConfig_CloneNewnet             = bool(true)
	Default_NsJailConfig_CloneNewuser            = bool(true)
	Default_NsJailConfig_CloneNewns              = bool(true)
	Default_NsJailConfig_CloneNewpid             = bool(true)
	Default_NsJailConfig_CloneNewipc             = bool(true)
	Default_NsJailConfig_CloneNewuts             = bool(true)
	Default_NsJailConfig_CloneNewcgroup          = bool(true)
	Default_NsJailConfig_MountProc               = bool(false)
	Default_NsJailConfig_SeccompLog              = bool(false)
	Default_NsJailConfig_CgroupMemMax            = uint64(0)
	Default_NsJailConfig_CgroupMemMount          = string("/sys/fs/cgroup/memory")
	Default_NsJailConfig_CgroupMemParent         = string("NSJAIL")
	Default_NsJailConfig_CgroupPidsMax           = uint64(0)
	Default_NsJailConfig_CgroupPidsMount         = string("/sys/fs/cgroup/pids")
	Default_NsJailConfig_CgroupPidsParent        = string("NSJAIL")
	Default_NsJailConfig_CgroupNetClsClassid     = uint32(0)
	Default_NsJailConfig_CgroupNetClsMount       = string("/sys/fs/cgroup/net_cls")
	Default_NsJailConfig_CgroupNetClsParent      = string("NSJAIL")
	Default_NsJailConfig_CgroupCpuMsPerSec       = uint32(0)
	Default_NsJailConfig_CgroupCpuMount          = string("/sys/fs/cgroup/cpu")
	Default_NsJailConfig_CgroupCpuParent         = string("NSJAIL")
	Default_NsJailConfig_IfaceNoLo               = bool(false)
	Default_NsJailConfig_MacvlanVsIp             = string("192.168.0.2")
	Default_NsJailConfig_MacvlanVsNm             = string("255.255.255.0")
	Default_NsJailConfig_MacvlanVsGw             = string("192.168.0.1")
	Default_NsJailConfig_MacvlanVsMa             = string("")
)

Default values for NsJailConfig fields.

View Source
const (
	Default_Exe_ExecFd = bool(false)
)

Default values for Exe fields.

Variables

View Source
var (
	Mode_name = map[int32]string{
		0: "LISTEN",
		1: "ONCE",
		2: "RERUN",
		3: "EXECVE",
	}
	Mode_value = map[string]int32{
		"LISTEN": 0,
		"ONCE":   1,
		"RERUN":  2,
		"EXECVE": 3,
	}
)

Enum value maps for Mode.

View Source
var (
	LogLevel_name = map[int32]string{
		0: "DEBUG",
		1: "INFO",
		2: "WARNING",
		3: "ERROR",
		4: "FATAL",
	}
	LogLevel_value = map[string]int32{
		"DEBUG":   0,
		"INFO":    1,
		"WARNING": 2,
		"ERROR":   3,
		"FATAL":   4,
	}
)

Enum value maps for LogLevel.

View Source
var (
	RLimit_name = map[int32]string{
		0: "VALUE",
		1: "SOFT",
		2: "HARD",
		3: "INF",
	}
	RLimit_value = map[string]int32{
		"VALUE": 0,
		"SOFT":  1,
		"HARD":  2,
		"INF":   3,
	}
)

Enum value maps for RLimit.

View Source
var (
	Default_MountPt_SrcContent = []byte("")
)

Default values for MountPt fields.

View Source
var File_nsjail_config_proto protoreflect.FileDescriptor

Functions

This section is empty.

Types

type Exe

type Exe struct {

	// Will be used both as execv's path and as argv[0]
	Path *string `protobuf:"bytes,1,req,name=path" json:"path,omitempty"`
	// This will be argv[1] and so on..
	Arg []string `protobuf:"bytes,2,rep,name=arg" json:"arg,omitempty"`
	// Override argv[0]
	Arg0 *string `protobuf:"bytes,3,opt,name=arg0" json:"arg0,omitempty"`
	// Should execveat() be used to execute a file-descriptor instead?
	ExecFd *bool `protobuf:"varint,4,opt,name=exec_fd,json=execFd,def=0" json:"exec_fd,omitempty"`
	// contains filtered or unexported fields
}

func (*Exe) Descriptor deprecated

This method has been deprecated.
func (*Exe) Descriptor() ([]byte, []int)

Deprecated: Use Exe.ProtoReflect.Descriptor instead.

func (*Exe) GetArg

func (x *Exe) GetArg() []string

func (*Exe) GetArg0

func (x *Exe) GetArg0() string

func (*Exe) GetExecFd

func (x *Exe) GetExecFd() bool

func (*Exe) GetPath

func (x *Exe) GetPath() string

func (*Exe) ProtoMessage

func (*Exe) ProtoMessage()

func (*Exe) ProtoReflect added in v0.0.12

func (x *Exe) ProtoReflect() protoreflect.Message

func (*Exe) Reset

func (x *Exe) Reset()

func (*Exe) String

func (x *Exe) String() string

type IdMap

type IdMap struct {

	// Empty string means "current uid/gid"
	InsideId  *string `protobuf:"bytes,1,opt,name=inside_id,json=insideId,def=" json:"inside_id,omitempty"`
	OutsideId *string `protobuf:"bytes,2,opt,name=outside_id,json=outsideId,def=" json:"outside_id,omitempty"`
	// See 'man user_namespaces' for the meaning of count
	Count *uint32 `protobuf:"varint,3,opt,name=count,def=1" json:"count,omitempty"`
	// Does this map use /usr/bin/new[u|g]idmap binary?
	UseNewidmap *bool `protobuf:"varint,4,opt,name=use_newidmap,json=useNewidmap,def=0" json:"use_newidmap,omitempty"`
	// contains filtered or unexported fields
}

func (*IdMap) Descriptor deprecated

This method has been deprecated.
func (*IdMap) Descriptor() ([]byte, []int)

Deprecated: Use IdMap.ProtoReflect.Descriptor instead.

func (*IdMap) GetCount

func (x *IdMap) GetCount() uint32

func (*IdMap) GetInsideId

func (x *IdMap) GetInsideId() string

func (*IdMap) GetOutsideId

func (x *IdMap) GetOutsideId() string

func (*IdMap) GetUseNewidmap

func (x *IdMap) GetUseNewidmap() bool

func (*IdMap) ProtoMessage

func (*IdMap) ProtoMessage()

func (*IdMap) ProtoReflect added in v0.0.12

func (x *IdMap) ProtoReflect() protoreflect.Message

func (*IdMap) Reset

func (x *IdMap) Reset()

func (*IdMap) String

func (x *IdMap) String() string

type LogLevel

type LogLevel int32

Should be self explanatory

const (
	LogLevel_DEBUG   LogLevel = 0 // Equivalent to the '-v' cmd-line option
	LogLevel_INFO    LogLevel = 1 // Default level
	LogLevel_WARNING LogLevel = 2 // Equivalent to the '-q' cmd-line option
	LogLevel_ERROR   LogLevel = 3
	LogLevel_FATAL   LogLevel = 4
)

func (LogLevel) Descriptor added in v0.0.12

func (LogLevel) Descriptor() protoreflect.EnumDescriptor

func (LogLevel) Enum

func (x LogLevel) Enum() *LogLevel

func (LogLevel) EnumDescriptor deprecated

This method has been deprecated.
func (LogLevel) EnumDescriptor() ([]byte, []int)

Deprecated: Use LogLevel.Descriptor instead.

func (LogLevel) Number added in v0.0.12

func (x LogLevel) Number() protoreflect.EnumNumber

func (LogLevel) String

func (x LogLevel) String() string

func (LogLevel) Type added in v0.0.12

func (*LogLevel) UnmarshalJSON deprecated

This method has been deprecated.
func (x *LogLevel) UnmarshalJSON(b []byte) error

Deprecated: Do not use.

type Mode

type Mode int32
const (
	Mode_LISTEN Mode = 0 // Listening on a TCP port
	Mode_ONCE   Mode = 1 // Running the command once only
	Mode_RERUN  Mode = 2 // Re-executing the command (forever)
	Mode_EXECVE Mode = 3 // Executing command w/o the supervisor
)

func (Mode) Descriptor added in v0.0.12

func (Mode) Descriptor() protoreflect.EnumDescriptor

func (Mode) Enum

func (x Mode) Enum() *Mode

func (Mode) EnumDescriptor deprecated

This method has been deprecated.
func (Mode) EnumDescriptor() ([]byte, []int)

Deprecated: Use Mode.Descriptor instead.

func (Mode) Number added in v0.0.12

func (x Mode) Number() protoreflect.EnumNumber

func (Mode) String

func (x Mode) String() string

func (Mode) Type added in v0.0.12

func (Mode) Type() protoreflect.EnumType

func (*Mode) UnmarshalJSON deprecated

This method has been deprecated.
func (x *Mode) UnmarshalJSON(b []byte) error

Deprecated: Do not use.

type MountPt

type MountPt struct {

	// Can be skipped for filesystems like 'proc'
	Src *string `protobuf:"bytes,1,opt,name=src,def=" json:"src,omitempty"`
	// Should 'src' path be prefixed with this envvar?
	PrefixSrcEnv *string `protobuf:"bytes,2,opt,name=prefix_src_env,json=prefixSrcEnv,def=" json:"prefix_src_env,omitempty"`
	// If specified, contains buffer that will be written to the dst file
	SrcContent []byte `protobuf:"bytes,3,opt,name=src_content,json=srcContent,def=" json:"src_content,omitempty"`
	// Mount point inside jail
	Dst *string `protobuf:"bytes,4,req,name=dst,def=" json:"dst,omitempty"`
	// Should 'dst' path be prefixed with this envvar?
	PrefixDstEnv *string `protobuf:"bytes,5,opt,name=prefix_dst_env,json=prefixDstEnv,def=" json:"prefix_dst_env,omitempty"`
	// Can be empty for mount --bind mounts
	Fstype *string `protobuf:"bytes,6,opt,name=fstype,def=" json:"fstype,omitempty"`
	// E.g. size=5000000 for 'tmpfs'
	Options *string `protobuf:"bytes,7,opt,name=options,def=" json:"options,omitempty"`
	// Is it a 'mount --bind src dst' type of mount?
	IsBind *bool `protobuf:"varint,8,opt,name=is_bind,json=isBind,def=0" json:"is_bind,omitempty"`
	// Is it a R/W mount?
	Rw *bool `protobuf:"varint,9,opt,name=rw,def=0" json:"rw,omitempty"`
	// Is it a directory? If not specified an internal
	//heuristics will be used to determine that
	IsDir *bool `protobuf:"varint,10,opt,name=is_dir,json=isDir" json:"is_dir,omitempty"`
	// Should the sandboxing fail if we cannot mount this resource?
	Mandatory *bool `protobuf:"varint,11,opt,name=mandatory,def=1" json:"mandatory,omitempty"`
	// Is it a symlink (instead of real mount point)?
	IsSymlink *bool `protobuf:"varint,12,opt,name=is_symlink,json=isSymlink,def=0" json:"is_symlink,omitempty"`
	// Is it a nosuid mount
	Nosuid *bool `protobuf:"varint,13,opt,name=nosuid,def=0" json:"nosuid,omitempty"`
	// Is it a nodev mount
	Nodev *bool `protobuf:"varint,14,opt,name=nodev,def=0" json:"nodev,omitempty"`
	// Is it a noexec mount
	Noexec *bool `protobuf:"varint,15,opt,name=noexec,def=0" json:"noexec,omitempty"`
	// contains filtered or unexported fields
}

func (*MountPt) Descriptor deprecated

This method has been deprecated.
func (*MountPt) Descriptor() ([]byte, []int)

Deprecated: Use MountPt.ProtoReflect.Descriptor instead.

func (*MountPt) GetDst

func (x *MountPt) GetDst() string

func (*MountPt) GetFstype

func (x *MountPt) GetFstype() string

func (*MountPt) GetIsBind

func (x *MountPt) GetIsBind() bool

func (*MountPt) GetIsDir

func (x *MountPt) GetIsDir() bool
func (x *MountPt) GetIsSymlink() bool

func (*MountPt) GetMandatory

func (x *MountPt) GetMandatory() bool

func (*MountPt) GetNodev

func (x *MountPt) GetNodev() bool

func (*MountPt) GetNoexec

func (x *MountPt) GetNoexec() bool

func (*MountPt) GetNosuid

func (x *MountPt) GetNosuid() bool

func (*MountPt) GetOptions

func (x *MountPt) GetOptions() string

func (*MountPt) GetPrefixDstEnv

func (x *MountPt) GetPrefixDstEnv() string

func (*MountPt) GetPrefixSrcEnv

func (x *MountPt) GetPrefixSrcEnv() string

func (*MountPt) GetRw

func (x *MountPt) GetRw() bool

func (*MountPt) GetSrc

func (x *MountPt) GetSrc() string

func (*MountPt) GetSrcContent

func (x *MountPt) GetSrcContent() []byte

func (*MountPt) ProtoMessage

func (*MountPt) ProtoMessage()

func (*MountPt) ProtoReflect added in v0.0.12

func (x *MountPt) ProtoReflect() protoreflect.Message

func (*MountPt) Reset

func (x *MountPt) Reset()

func (*MountPt) String

func (x *MountPt) String() string

type NsJailConfig

type NsJailConfig struct {

	// Optional name and description for this config
	Name        *string  `protobuf:"bytes,1,opt,name=name,def=" json:"name,omitempty"`
	Description []string `protobuf:"bytes,2,rep,name=description" json:"description,omitempty"`
	// Execution mode: see 'msg Mode' description for more
	Mode *Mode `protobuf:"varint,3,opt,name=mode,enum=nsjail.Mode,def=1" json:"mode,omitempty"`
	// Equivalent to a bind mount with dst='/'. DEPRECATED: Use bind mounts.
	// Deprecated: Do not use.
	ChrootDir *string `protobuf:"bytes,4,opt,name=chroot_dir,json=chrootDir" json:"chroot_dir,omitempty"`
	// Applies both to the chroot_dir and to /proc mounts. DEPRECATED: Use bind mounts
	// Deprecated: Do not use.
	IsRootRw *bool `protobuf:"varint,5,opt,name=is_root_rw,json=isRootRw,def=0" json:"is_root_rw,omitempty"`
	// Hostname inside jail
	Hostname *string `protobuf:"bytes,8,opt,name=hostname,def=NSJAIL" json:"hostname,omitempty"`
	// Initial current working directory for the binary
	Cwd *string `protobuf:"bytes,9,opt,name=cwd,def=/" json:"cwd,omitempty"`
	// TCP port to listen to. Valid with mode=LISTEN only
	Port *uint32 `protobuf:"varint,10,opt,name=port,def=0" json:"port,omitempty"`
	// Host to bind to for mode=LISTEN. Must be in IPv6 format
	Bindhost *string `protobuf:"bytes,11,opt,name=bindhost,def=::" json:"bindhost,omitempty"`
	// For mode=LISTEN, maximum number of connections from a single IP
	MaxConnsPerIp *uint32 `protobuf:"varint,12,opt,name=max_conns_per_ip,json=maxConnsPerIp,def=0" json:"max_conns_per_ip,omitempty"`
	// Wall-time time limit for commands
	TimeLimit *uint32 `protobuf:"varint,13,opt,name=time_limit,json=timeLimit,def=600" json:"time_limit,omitempty"`
	// Should nsjail go into background?
	Daemon *bool `protobuf:"varint,14,opt,name=daemon,def=0" json:"daemon,omitempty"`
	// Maximum number of CPUs to use: 0 - no limit
	MaxCpus *uint32 `protobuf:"varint,15,opt,name=max_cpus,json=maxCpus,def=0" json:"max_cpus,omitempty"`
	// FD to log to.
	LogFd *int32 `protobuf:"varint,16,opt,name=log_fd,json=logFd" json:"log_fd,omitempty"`
	// File to save lofs to
	LogFile *string `protobuf:"bytes,17,opt,name=log_file,json=logFile" json:"log_file,omitempty"`
	// Minimum log level displayed.
	//See 'msg LogLevel' description for more
	LogLevel *LogLevel `protobuf:"varint,18,opt,name=log_level,json=logLevel,enum=nsjail.LogLevel" json:"log_level,omitempty"`
	// Should the current environment variables be kept
	//when executing the binary
	KeepEnv *bool `protobuf:"varint,19,opt,name=keep_env,json=keepEnv,def=0" json:"keep_env,omitempty"`
	// EnvVars to be set before executing binaries. If the envvar doesn't contain '='
	//(e.g. just the 'DISPLAY' string), the current envvar value will be used
	Envar []string `protobuf:"bytes,20,rep,name=envar" json:"envar,omitempty"`
	// Should capabilities be preserved or dropped
	KeepCaps *bool `protobuf:"varint,21,opt,name=keep_caps,json=keepCaps,def=0" json:"keep_caps,omitempty"`
	// Which capabilities should be preserved if keep_caps == false.
	//Format: "CAP_SYS_PTRACE"
	Cap []string `protobuf:"bytes,22,rep,name=cap" json:"cap,omitempty"`
	// Should nsjail close FD=0,1,2 before executing the process
	Silent *bool `protobuf:"varint,23,opt,name=silent,def=0" json:"silent,omitempty"`
	// Should the child process have control over terminal?
	//Can be useful to allow /bin/sh to provide
	//job control / signals. Dangerous, can be used to put
	//characters into the controlling terminal back
	SkipSetsid *bool `protobuf:"varint,24,opt,name=skip_setsid,json=skipSetsid,def=0" json:"skip_setsid,omitempty"`
	// Redirect sdterr of the process to /dev/null instead of the socket or original TTY
	StderrToNull *bool `protobuf:"varint,25,opt,name=stderr_to_null,json=stderrToNull,def=0" json:"stderr_to_null,omitempty"`
	// Which FDs should be passed to the newly executed process
	//By default only FD=0,1,2 are passed
	PassFd []int32 `protobuf:"varint,26,rep,name=pass_fd,json=passFd" json:"pass_fd,omitempty"`
	// Setting it to true will allow to have set-uid binaries
	//inside the jail
	DisableNoNewPrivs *bool `protobuf:"varint,27,opt,name=disable_no_new_privs,json=disableNoNewPrivs,def=0" json:"disable_no_new_privs,omitempty"`
	// Various rlimits, the rlimit_as/rlimit_core/... are used only if
	//rlimit_as_type/rlimit_core_type/... are set to RLimit::VALUE
	RlimitAs         *uint64 `protobuf:"varint,28,opt,name=rlimit_as,json=rlimitAs,def=512" json:"rlimit_as,omitempty"` // In MiB
	RlimitAsType     *RLimit `protobuf:"varint,29,opt,name=rlimit_as_type,json=rlimitAsType,enum=nsjail.RLimit,def=0" json:"rlimit_as_type,omitempty"`
	RlimitCore       *uint64 `protobuf:"varint,30,opt,name=rlimit_core,json=rlimitCore,def=0" json:"rlimit_core,omitempty"` // In MiB
	RlimitCoreType   *RLimit `protobuf:"varint,31,opt,name=rlimit_core_type,json=rlimitCoreType,enum=nsjail.RLimit,def=0" json:"rlimit_core_type,omitempty"`
	RlimitCpu        *uint64 `protobuf:"varint,32,opt,name=rlimit_cpu,json=rlimitCpu,def=600" json:"rlimit_cpu,omitempty"` // In seconds
	RlimitCpuType    *RLimit `protobuf:"varint,33,opt,name=rlimit_cpu_type,json=rlimitCpuType,enum=nsjail.RLimit,def=0" json:"rlimit_cpu_type,omitempty"`
	RlimitFsize      *uint64 `protobuf:"varint,34,opt,name=rlimit_fsize,json=rlimitFsize,def=1" json:"rlimit_fsize,omitempty"` // In MiB
	RlimitFsizeType  *RLimit ``                                                                                                /* 128-byte string literal not displayed */
	RlimitNofile     *uint64 `protobuf:"varint,36,opt,name=rlimit_nofile,json=rlimitNofile,def=32" json:"rlimit_nofile,omitempty"`
	RlimitNofileType *RLimit `` /* 131-byte string literal not displayed */
	// RLIMIT_NPROC is system-wide - tricky to use; use the soft limit value by
	// default here
	RlimitNproc     *uint64 `protobuf:"varint,38,opt,name=rlimit_nproc,json=rlimitNproc,def=1024" json:"rlimit_nproc,omitempty"`
	RlimitNprocType *RLimit `` /* 128-byte string literal not displayed */
	// In MiB, use the soft limit value by default
	RlimitStack     *uint64 `protobuf:"varint,40,opt,name=rlimit_stack,json=rlimitStack,def=1048576" json:"rlimit_stack,omitempty"`
	RlimitStackType *RLimit `` /* 128-byte string literal not displayed */
	// See 'man personality' for more
	PersonaAddrCompatLayout *bool `` /* 135-byte string literal not displayed */
	PersonaMmapPageZero     *bool `protobuf:"varint,43,opt,name=persona_mmap_page_zero,json=personaMmapPageZero,def=0" json:"persona_mmap_page_zero,omitempty"`
	PersonaReadImpliesExec  *bool `` /* 132-byte string literal not displayed */
	PersonaAddrLimit_3Gb    *bool `protobuf:"varint,45,opt,name=persona_addr_limit_3gb,json=personaAddrLimit3gb,def=0" json:"persona_addr_limit_3gb,omitempty"`
	PersonaAddrNoRandomize  *bool `` /* 132-byte string literal not displayed */
	// Which name-spaces should be used?
	CloneNewnet  *bool `protobuf:"varint,47,opt,name=clone_newnet,json=cloneNewnet,def=1" json:"clone_newnet,omitempty"`
	CloneNewuser *bool `protobuf:"varint,48,opt,name=clone_newuser,json=cloneNewuser,def=1" json:"clone_newuser,omitempty"`
	CloneNewns   *bool `protobuf:"varint,49,opt,name=clone_newns,json=cloneNewns,def=1" json:"clone_newns,omitempty"`
	CloneNewpid  *bool `protobuf:"varint,50,opt,name=clone_newpid,json=cloneNewpid,def=1" json:"clone_newpid,omitempty"`
	CloneNewipc  *bool `protobuf:"varint,51,opt,name=clone_newipc,json=cloneNewipc,def=1" json:"clone_newipc,omitempty"`
	CloneNewuts  *bool `protobuf:"varint,52,opt,name=clone_newuts,json=cloneNewuts,def=1" json:"clone_newuts,omitempty"`
	// Disable for kernel versions < 4.6 as it's not supported there
	CloneNewcgroup *bool `protobuf:"varint,53,opt,name=clone_newcgroup,json=cloneNewcgroup,def=1" json:"clone_newcgroup,omitempty"`
	// Mappings for UIDs and GIDs. See the description for 'msg IdMap'
	//for more
	Uidmap []*IdMap `protobuf:"bytes,54,rep,name=uidmap" json:"uidmap,omitempty"`
	Gidmap []*IdMap `protobuf:"bytes,55,rep,name=gidmap" json:"gidmap,omitempty"`
	// Should /proc be mounted (R/O)? This can also be added in the 'mount'
	//section below
	MountProc *bool `protobuf:"varint,56,opt,name=mount_proc,json=mountProc,def=0" json:"mount_proc,omitempty"`
	// Mount points inside the jail. See the description for 'msg MountPt'
	//for more
	Mount []*MountPt `protobuf:"bytes,57,rep,name=mount" json:"mount,omitempty"`
	// Kafel seccomp-bpf policy file or a string:
	//Homepage of the project: https://github.com/google/kafel
	SeccompPolicyFile *string  `protobuf:"bytes,58,opt,name=seccomp_policy_file,json=seccompPolicyFile" json:"seccomp_policy_file,omitempty"`
	SeccompString     []string `protobuf:"bytes,59,rep,name=seccomp_string,json=seccompString" json:"seccomp_string,omitempty"`
	// Setting it to true makes audit write seccomp logs to dmesg
	SeccompLog *bool `protobuf:"varint,60,opt,name=seccomp_log,json=seccompLog,def=0" json:"seccomp_log,omitempty"`
	// If > 0, maximum cumulative size of RAM used inside any jail
	CgroupMemMax *uint64 `protobuf:"varint,61,opt,name=cgroup_mem_max,json=cgroupMemMax,def=0" json:"cgroup_mem_max,omitempty"` // In MiB
	// Mount point for cgroups-memory in your system
	CgroupMemMount *string `protobuf:"bytes,62,opt,name=cgroup_mem_mount,json=cgroupMemMount,def=/sys/fs/cgroup/memory" json:"cgroup_mem_mount,omitempty"`
	// Writeable directory (for the nsjail user) under cgroup_mem_mount
	CgroupMemParent *string `protobuf:"bytes,63,opt,name=cgroup_mem_parent,json=cgroupMemParent,def=NSJAIL" json:"cgroup_mem_parent,omitempty"`
	// If > 0, maximum number of PIDs (threads/processes) inside jail
	CgroupPidsMax *uint64 `protobuf:"varint,64,opt,name=cgroup_pids_max,json=cgroupPidsMax,def=0" json:"cgroup_pids_max,omitempty"`
	// Mount point for cgroups-pids in your system
	CgroupPidsMount *string `` /* 126-byte string literal not displayed */
	// Writeable directory (for the nsjail user) under cgroup_pids_mount
	CgroupPidsParent *string `protobuf:"bytes,66,opt,name=cgroup_pids_parent,json=cgroupPidsParent,def=NSJAIL" json:"cgroup_pids_parent,omitempty"`
	// If > 0, Class identifier of network packets inside jail
	CgroupNetClsClassid *uint32 `protobuf:"varint,67,opt,name=cgroup_net_cls_classid,json=cgroupNetClsClassid,def=0" json:"cgroup_net_cls_classid,omitempty"`
	// Mount point for cgroups-net-cls in your system
	CgroupNetClsMount *string `` /* 137-byte string literal not displayed */
	// Writeable directory (for the nsjail user) under cgroup_net_mount
	CgroupNetClsParent *string `protobuf:"bytes,69,opt,name=cgroup_net_cls_parent,json=cgroupNetClsParent,def=NSJAIL" json:"cgroup_net_cls_parent,omitempty"`
	// If > 0 number of milliseconds of CPU that jail processes can use per each second
	CgroupCpuMsPerSec *uint32 `protobuf:"varint,70,opt,name=cgroup_cpu_ms_per_sec,json=cgroupCpuMsPerSec,def=0" json:"cgroup_cpu_ms_per_sec,omitempty"`
	// Mount point for cgroups-cpu in your system
	CgroupCpuMount *string `protobuf:"bytes,71,opt,name=cgroup_cpu_mount,json=cgroupCpuMount,def=/sys/fs/cgroup/cpu" json:"cgroup_cpu_mount,omitempty"`
	// Writeable directory (for the nsjail user) under cgroup_cpu_mount
	CgroupCpuParent *string `protobuf:"bytes,72,opt,name=cgroup_cpu_parent,json=cgroupCpuParent,def=NSJAIL" json:"cgroup_cpu_parent,omitempty"`
	// Should the 'lo' interface be brought up (active) inside this jail?
	IfaceNoLo *bool `protobuf:"varint,73,opt,name=iface_no_lo,json=ifaceNoLo,def=0" json:"iface_no_lo,omitempty"`
	// Put this interface inside the jail
	IfaceOwn []string `protobuf:"bytes,74,rep,name=iface_own,json=ifaceOwn" json:"iface_own,omitempty"`
	// Parameters for the cloned MACVLAN interface inside jail
	MacvlanIface *string `protobuf:"bytes,75,opt,name=macvlan_iface,json=macvlanIface" json:"macvlan_iface,omitempty"` // Interface to be cloned, eg 'eth0'
	MacvlanVsIp  *string `protobuf:"bytes,76,opt,name=macvlan_vs_ip,json=macvlanVsIp,def=192.168.0.2" json:"macvlan_vs_ip,omitempty"`
	MacvlanVsNm  *string `protobuf:"bytes,77,opt,name=macvlan_vs_nm,json=macvlanVsNm,def=255.255.255.0" json:"macvlan_vs_nm,omitempty"`
	MacvlanVsGw  *string `protobuf:"bytes,78,opt,name=macvlan_vs_gw,json=macvlanVsGw,def=192.168.0.1" json:"macvlan_vs_gw,omitempty"`
	MacvlanVsMa  *string `protobuf:"bytes,79,opt,name=macvlan_vs_ma,json=macvlanVsMa,def=" json:"macvlan_vs_ma,omitempty"`
	// Binary path (with arguments) to be executed. If not specified here, it
	//can be specified with cmd-line as "-- /path/to/command arg1 arg2"
	ExecBin *Exe `protobuf:"bytes,80,opt,name=exec_bin,json=execBin" json:"exec_bin,omitempty"`
	// contains filtered or unexported fields
}

func (*NsJailConfig) Descriptor deprecated

This method has been deprecated.
func (*NsJailConfig) Descriptor() ([]byte, []int)

Deprecated: Use NsJailConfig.ProtoReflect.Descriptor instead.

func (*NsJailConfig) GetBindhost

func (x *NsJailConfig) GetBindhost() string

func (*NsJailConfig) GetCap

func (x *NsJailConfig) GetCap() []string

func (*NsJailConfig) GetCgroupCpuMount

func (x *NsJailConfig) GetCgroupCpuMount() string

func (*NsJailConfig) GetCgroupCpuMsPerSec

func (x *NsJailConfig) GetCgroupCpuMsPerSec() uint32

func (*NsJailConfig) GetCgroupCpuParent

func (x *NsJailConfig) GetCgroupCpuParent() string

func (*NsJailConfig) GetCgroupMemMax

func (x *NsJailConfig) GetCgroupMemMax() uint64

func (*NsJailConfig) GetCgroupMemMount

func (x *NsJailConfig) GetCgroupMemMount() string

func (*NsJailConfig) GetCgroupMemParent

func (x *NsJailConfig) GetCgroupMemParent() string

func (*NsJailConfig) GetCgroupNetClsClassid

func (x *NsJailConfig) GetCgroupNetClsClassid() uint32

func (*NsJailConfig) GetCgroupNetClsMount

func (x *NsJailConfig) GetCgroupNetClsMount() string

func (*NsJailConfig) GetCgroupNetClsParent

func (x *NsJailConfig) GetCgroupNetClsParent() string

func (*NsJailConfig) GetCgroupPidsMax

func (x *NsJailConfig) GetCgroupPidsMax() uint64

func (*NsJailConfig) GetCgroupPidsMount

func (x *NsJailConfig) GetCgroupPidsMount() string

func (*NsJailConfig) GetCgroupPidsParent

func (x *NsJailConfig) GetCgroupPidsParent() string

func (*NsJailConfig) GetChrootDir deprecated

This method has been deprecated.
func (x *NsJailConfig) GetChrootDir() string

Deprecated: Do not use.

func (*NsJailConfig) GetCloneNewcgroup

func (x *NsJailConfig) GetCloneNewcgroup() bool

func (*NsJailConfig) GetCloneNewipc

func (x *NsJailConfig) GetCloneNewipc() bool

func (*NsJailConfig) GetCloneNewnet

func (x *NsJailConfig) GetCloneNewnet() bool

func (*NsJailConfig) GetCloneNewns

func (x *NsJailConfig) GetCloneNewns() bool

func (*NsJailConfig) GetCloneNewpid

func (x *NsJailConfig) GetCloneNewpid() bool

func (*NsJailConfig) GetCloneNewuser

func (x *NsJailConfig) GetCloneNewuser() bool

func (*NsJailConfig) GetCloneNewuts

func (x *NsJailConfig) GetCloneNewuts() bool

func (*NsJailConfig) GetCwd

func (x *NsJailConfig) GetCwd() string

func (*NsJailConfig) GetDaemon

func (x *NsJailConfig) GetDaemon() bool

func (*NsJailConfig) GetDescription

func (x *NsJailConfig) GetDescription() []string

func (*NsJailConfig) GetDisableNoNewPrivs

func (x *NsJailConfig) GetDisableNoNewPrivs() bool

func (*NsJailConfig) GetEnvar

func (x *NsJailConfig) GetEnvar() []string

func (*NsJailConfig) GetExecBin

func (x *NsJailConfig) GetExecBin() *Exe

func (*NsJailConfig) GetGidmap

func (x *NsJailConfig) GetGidmap() []*IdMap

func (*NsJailConfig) GetHostname

func (x *NsJailConfig) GetHostname() string

func (*NsJailConfig) GetIfaceNoLo

func (x *NsJailConfig) GetIfaceNoLo() bool

func (*NsJailConfig) GetIfaceOwn

func (x *NsJailConfig) GetIfaceOwn() []string

func (*NsJailConfig) GetIsRootRw deprecated

This method has been deprecated.
func (x *NsJailConfig) GetIsRootRw() bool

Deprecated: Do not use.

func (*NsJailConfig) GetKeepCaps

func (x *NsJailConfig) GetKeepCaps() bool

func (*NsJailConfig) GetKeepEnv

func (x *NsJailConfig) GetKeepEnv() bool

func (*NsJailConfig) GetLogFd

func (x *NsJailConfig) GetLogFd() int32

func (*NsJailConfig) GetLogFile

func (x *NsJailConfig) GetLogFile() string

func (*NsJailConfig) GetLogLevel

func (x *NsJailConfig) GetLogLevel() LogLevel

func (*NsJailConfig) GetMacvlanIface

func (x *NsJailConfig) GetMacvlanIface() string

func (*NsJailConfig) GetMacvlanVsGw

func (x *NsJailConfig) GetMacvlanVsGw() string

func (*NsJailConfig) GetMacvlanVsIp

func (x *NsJailConfig) GetMacvlanVsIp() string

func (*NsJailConfig) GetMacvlanVsMa

func (x *NsJailConfig) GetMacvlanVsMa() string

func (*NsJailConfig) GetMacvlanVsNm

func (x *NsJailConfig) GetMacvlanVsNm() string

func (*NsJailConfig) GetMaxConnsPerIp

func (x *NsJailConfig) GetMaxConnsPerIp() uint32

func (*NsJailConfig) GetMaxCpus

func (x *NsJailConfig) GetMaxCpus() uint32

func (*NsJailConfig) GetMode

func (x *NsJailConfig) GetMode() Mode

func (*NsJailConfig) GetMount

func (x *NsJailConfig) GetMount() []*MountPt

func (*NsJailConfig) GetMountProc

func (x *NsJailConfig) GetMountProc() bool

func (*NsJailConfig) GetName

func (x *NsJailConfig) GetName() string

func (*NsJailConfig) GetPassFd

func (x *NsJailConfig) GetPassFd() []int32

func (*NsJailConfig) GetPersonaAddrCompatLayout

func (x *NsJailConfig) GetPersonaAddrCompatLayout() bool

func (*NsJailConfig) GetPersonaAddrLimit_3Gb

func (x *NsJailConfig) GetPersonaAddrLimit_3Gb() bool

func (*NsJailConfig) GetPersonaAddrNoRandomize

func (x *NsJailConfig) GetPersonaAddrNoRandomize() bool

func (*NsJailConfig) GetPersonaMmapPageZero

func (x *NsJailConfig) GetPersonaMmapPageZero() bool

func (*NsJailConfig) GetPersonaReadImpliesExec

func (x *NsJailConfig) GetPersonaReadImpliesExec() bool

func (*NsJailConfig) GetPort

func (x *NsJailConfig) GetPort() uint32

func (*NsJailConfig) GetRlimitAs

func (x *NsJailConfig) GetRlimitAs() uint64

func (*NsJailConfig) GetRlimitAsType

func (x *NsJailConfig) GetRlimitAsType() RLimit

func (*NsJailConfig) GetRlimitCore

func (x *NsJailConfig) GetRlimitCore() uint64

func (*NsJailConfig) GetRlimitCoreType

func (x *NsJailConfig) GetRlimitCoreType() RLimit

func (*NsJailConfig) GetRlimitCpu

func (x *NsJailConfig) GetRlimitCpu() uint64

func (*NsJailConfig) GetRlimitCpuType

func (x *NsJailConfig) GetRlimitCpuType() RLimit

func (*NsJailConfig) GetRlimitFsize

func (x *NsJailConfig) GetRlimitFsize() uint64

func (*NsJailConfig) GetRlimitFsizeType

func (x *NsJailConfig) GetRlimitFsizeType() RLimit

func (*NsJailConfig) GetRlimitNofile

func (x *NsJailConfig) GetRlimitNofile() uint64

func (*NsJailConfig) GetRlimitNofileType

func (x *NsJailConfig) GetRlimitNofileType() RLimit

func (*NsJailConfig) GetRlimitNproc

func (x *NsJailConfig) GetRlimitNproc() uint64

func (*NsJailConfig) GetRlimitNprocType

func (x *NsJailConfig) GetRlimitNprocType() RLimit

func (*NsJailConfig) GetRlimitStack

func (x *NsJailConfig) GetRlimitStack() uint64

func (*NsJailConfig) GetRlimitStackType

func (x *NsJailConfig) GetRlimitStackType() RLimit

func (*NsJailConfig) GetSeccompLog

func (x *NsJailConfig) GetSeccompLog() bool

func (*NsJailConfig) GetSeccompPolicyFile

func (x *NsJailConfig) GetSeccompPolicyFile() string

func (*NsJailConfig) GetSeccompString

func (x *NsJailConfig) GetSeccompString() []string

func (*NsJailConfig) GetSilent

func (x *NsJailConfig) GetSilent() bool

func (*NsJailConfig) GetSkipSetsid

func (x *NsJailConfig) GetSkipSetsid() bool

func (*NsJailConfig) GetStderrToNull

func (x *NsJailConfig) GetStderrToNull() bool

func (*NsJailConfig) GetTimeLimit

func (x *NsJailConfig) GetTimeLimit() uint32

func (*NsJailConfig) GetUidmap

func (x *NsJailConfig) GetUidmap() []*IdMap

func (*NsJailConfig) ProtoMessage

func (*NsJailConfig) ProtoMessage()

func (*NsJailConfig) ProtoReflect added in v0.0.12

func (x *NsJailConfig) ProtoReflect() protoreflect.Message

func (*NsJailConfig) Reset

func (x *NsJailConfig) Reset()

func (*NsJailConfig) String

func (x *NsJailConfig) String() string

type RLimit

type RLimit int32
const (
	RLimit_VALUE RLimit = 0 // Use the provided value
	RLimit_SOFT  RLimit = 1 // Use the current soft rlimit
	RLimit_HARD  RLimit = 2 // Use the current hard rlimit
	RLimit_INF   RLimit = 3 // Use RLIM64_INFINITY
)

func (RLimit) Descriptor added in v0.0.12

func (RLimit) Descriptor() protoreflect.EnumDescriptor

func (RLimit) Enum

func (x RLimit) Enum() *RLimit

func (RLimit) EnumDescriptor deprecated

This method has been deprecated.
func (RLimit) EnumDescriptor() ([]byte, []int)

Deprecated: Use RLimit.Descriptor instead.

func (RLimit) Number added in v0.0.12

func (x RLimit) Number() protoreflect.EnumNumber

func (RLimit) String

func (x RLimit) String() string

func (RLimit) Type added in v0.0.12

func (RLimit) Type() protoreflect.EnumType

func (*RLimit) UnmarshalJSON deprecated

This method has been deprecated.
func (x *RLimit) UnmarshalJSON(b []byte) error

Deprecated: Do not use.

Source Files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
t or T : Toggle theme light dark auto
y or Y : Canonical URL