Documentation ¶
Index ¶
- Constants
- Variables
- type Exe
- func (*Exe) Descriptor() ([]byte, []int)deprecated
- func (x *Exe) GetArg() []string
- func (x *Exe) GetArg0() string
- func (x *Exe) GetExecFd() bool
- func (x *Exe) GetPath() string
- func (*Exe) ProtoMessage()
- func (x *Exe) ProtoReflect() protoreflect.Message
- func (x *Exe) Reset()
- func (x *Exe) String() string
- type IdMap
- func (*IdMap) Descriptor() ([]byte, []int)deprecated
- func (x *IdMap) GetCount() uint32
- func (x *IdMap) GetInsideId() string
- func (x *IdMap) GetOutsideId() string
- func (x *IdMap) GetUseNewidmap() bool
- func (*IdMap) ProtoMessage()
- func (x *IdMap) ProtoReflect() protoreflect.Message
- func (x *IdMap) Reset()
- func (x *IdMap) String() string
- type LogLevel
- func (LogLevel) Descriptor() protoreflect.EnumDescriptor
- func (x LogLevel) Enum() *LogLevel
- func (LogLevel) EnumDescriptor() ([]byte, []int)deprecated
- func (x LogLevel) Number() protoreflect.EnumNumber
- func (x LogLevel) String() string
- func (LogLevel) Type() protoreflect.EnumType
- func (x *LogLevel) UnmarshalJSON(b []byte) errordeprecated
- type Mode
- func (Mode) Descriptor() protoreflect.EnumDescriptor
- func (x Mode) Enum() *Mode
- func (Mode) EnumDescriptor() ([]byte, []int)deprecated
- func (x Mode) Number() protoreflect.EnumNumber
- func (x Mode) String() string
- func (Mode) Type() protoreflect.EnumType
- func (x *Mode) UnmarshalJSON(b []byte) errordeprecated
- type MountPt
- func (*MountPt) Descriptor() ([]byte, []int)deprecated
- func (x *MountPt) GetDst() string
- func (x *MountPt) GetFstype() string
- func (x *MountPt) GetIsBind() bool
- func (x *MountPt) GetIsDir() bool
- func (x *MountPt) GetIsSymlink() bool
- func (x *MountPt) GetMandatory() bool
- func (x *MountPt) GetNodev() bool
- func (x *MountPt) GetNoexec() bool
- func (x *MountPt) GetNosuid() bool
- func (x *MountPt) GetOptions() string
- func (x *MountPt) GetPrefixDstEnv() string
- func (x *MountPt) GetPrefixSrcEnv() string
- func (x *MountPt) GetRw() bool
- func (x *MountPt) GetSrc() string
- func (x *MountPt) GetSrcContent() []byte
- func (*MountPt) ProtoMessage()
- func (x *MountPt) ProtoReflect() protoreflect.Message
- func (x *MountPt) Reset()
- func (x *MountPt) String() string
- type NsJailConfig
- func (*NsJailConfig) Descriptor() ([]byte, []int)deprecated
- func (x *NsJailConfig) GetBindhost() string
- func (x *NsJailConfig) GetCap() []string
- func (x *NsJailConfig) GetCgroupCpuMount() string
- func (x *NsJailConfig) GetCgroupCpuMsPerSec() uint32
- func (x *NsJailConfig) GetCgroupCpuParent() string
- func (x *NsJailConfig) GetCgroupMemMax() uint64
- func (x *NsJailConfig) GetCgroupMemMount() string
- func (x *NsJailConfig) GetCgroupMemParent() string
- func (x *NsJailConfig) GetCgroupNetClsClassid() uint32
- func (x *NsJailConfig) GetCgroupNetClsMount() string
- func (x *NsJailConfig) GetCgroupNetClsParent() string
- func (x *NsJailConfig) GetCgroupPidsMax() uint64
- func (x *NsJailConfig) GetCgroupPidsMount() string
- func (x *NsJailConfig) GetCgroupPidsParent() string
- func (x *NsJailConfig) GetChrootDir() stringdeprecated
- func (x *NsJailConfig) GetCloneNewcgroup() bool
- func (x *NsJailConfig) GetCloneNewipc() bool
- func (x *NsJailConfig) GetCloneNewnet() bool
- func (x *NsJailConfig) GetCloneNewns() bool
- func (x *NsJailConfig) GetCloneNewpid() bool
- func (x *NsJailConfig) GetCloneNewuser() bool
- func (x *NsJailConfig) GetCloneNewuts() bool
- func (x *NsJailConfig) GetCwd() string
- func (x *NsJailConfig) GetDaemon() bool
- func (x *NsJailConfig) GetDescription() []string
- func (x *NsJailConfig) GetDisableNoNewPrivs() bool
- func (x *NsJailConfig) GetEnvar() []string
- func (x *NsJailConfig) GetExecBin() *Exe
- func (x *NsJailConfig) GetGidmap() []*IdMap
- func (x *NsJailConfig) GetHostname() string
- func (x *NsJailConfig) GetIfaceNoLo() bool
- func (x *NsJailConfig) GetIfaceOwn() []string
- func (x *NsJailConfig) GetIsRootRw() booldeprecated
- func (x *NsJailConfig) GetKeepCaps() bool
- func (x *NsJailConfig) GetKeepEnv() bool
- func (x *NsJailConfig) GetLogFd() int32
- func (x *NsJailConfig) GetLogFile() string
- func (x *NsJailConfig) GetLogLevel() LogLevel
- func (x *NsJailConfig) GetMacvlanIface() string
- func (x *NsJailConfig) GetMacvlanVsGw() string
- func (x *NsJailConfig) GetMacvlanVsIp() string
- func (x *NsJailConfig) GetMacvlanVsMa() string
- func (x *NsJailConfig) GetMacvlanVsNm() string
- func (x *NsJailConfig) GetMaxConnsPerIp() uint32
- func (x *NsJailConfig) GetMaxCpus() uint32
- func (x *NsJailConfig) GetMode() Mode
- func (x *NsJailConfig) GetMount() []*MountPt
- func (x *NsJailConfig) GetMountProc() bool
- func (x *NsJailConfig) GetName() string
- func (x *NsJailConfig) GetPassFd() []int32
- func (x *NsJailConfig) GetPersonaAddrCompatLayout() bool
- func (x *NsJailConfig) GetPersonaAddrLimit_3Gb() bool
- func (x *NsJailConfig) GetPersonaAddrNoRandomize() bool
- func (x *NsJailConfig) GetPersonaMmapPageZero() bool
- func (x *NsJailConfig) GetPersonaReadImpliesExec() bool
- func (x *NsJailConfig) GetPort() uint32
- func (x *NsJailConfig) GetRlimitAs() uint64
- func (x *NsJailConfig) GetRlimitAsType() RLimit
- func (x *NsJailConfig) GetRlimitCore() uint64
- func (x *NsJailConfig) GetRlimitCoreType() RLimit
- func (x *NsJailConfig) GetRlimitCpu() uint64
- func (x *NsJailConfig) GetRlimitCpuType() RLimit
- func (x *NsJailConfig) GetRlimitFsize() uint64
- func (x *NsJailConfig) GetRlimitFsizeType() RLimit
- func (x *NsJailConfig) GetRlimitNofile() uint64
- func (x *NsJailConfig) GetRlimitNofileType() RLimit
- func (x *NsJailConfig) GetRlimitNproc() uint64
- func (x *NsJailConfig) GetRlimitNprocType() RLimit
- func (x *NsJailConfig) GetRlimitStack() uint64
- func (x *NsJailConfig) GetRlimitStackType() RLimit
- func (x *NsJailConfig) GetSeccompLog() bool
- func (x *NsJailConfig) GetSeccompPolicyFile() string
- func (x *NsJailConfig) GetSeccompString() []string
- func (x *NsJailConfig) GetSilent() bool
- func (x *NsJailConfig) GetSkipSetsid() bool
- func (x *NsJailConfig) GetStderrToNull() bool
- func (x *NsJailConfig) GetTimeLimit() uint32
- func (x *NsJailConfig) GetUidmap() []*IdMap
- func (*NsJailConfig) ProtoMessage()
- func (x *NsJailConfig) ProtoReflect() protoreflect.Message
- func (x *NsJailConfig) Reset()
- func (x *NsJailConfig) String() string
- type RLimit
- func (RLimit) Descriptor() protoreflect.EnumDescriptor
- func (x RLimit) Enum() *RLimit
- func (RLimit) EnumDescriptor() ([]byte, []int)deprecated
- func (x RLimit) Number() protoreflect.EnumNumber
- func (x RLimit) String() string
- func (RLimit) Type() protoreflect.EnumType
- func (x *RLimit) UnmarshalJSON(b []byte) errordeprecated
Constants ¶
View Source
const ( Default_IdMap_InsideId = string("") Default_IdMap_OutsideId = string("") Default_IdMap_Count = uint32(1) Default_IdMap_UseNewidmap = bool(false) )
Default values for IdMap fields.
View Source
const ( Default_MountPt_Src = string("") Default_MountPt_PrefixSrcEnv = string("") Default_MountPt_Dst = string("") Default_MountPt_PrefixDstEnv = string("") Default_MountPt_Fstype = string("") Default_MountPt_Options = string("") Default_MountPt_IsBind = bool(false) Default_MountPt_Rw = bool(false) Default_MountPt_Mandatory = bool(true) Default_MountPt_IsSymlink = bool(false) Default_MountPt_Nosuid = bool(false) Default_MountPt_Nodev = bool(false) Default_MountPt_Noexec = bool(false) )
Default values for MountPt fields.
View Source
const ( Default_NsJailConfig_Name = string("") Default_NsJailConfig_Mode = Mode_ONCE Default_NsJailConfig_IsRootRw = bool(false) Default_NsJailConfig_Hostname = string("NSJAIL") Default_NsJailConfig_Cwd = string("/") Default_NsJailConfig_Port = uint32(0) Default_NsJailConfig_Bindhost = string("::") Default_NsJailConfig_MaxConnsPerIp = uint32(0) Default_NsJailConfig_TimeLimit = uint32(600) Default_NsJailConfig_Daemon = bool(false) Default_NsJailConfig_MaxCpus = uint32(0) Default_NsJailConfig_KeepEnv = bool(false) Default_NsJailConfig_KeepCaps = bool(false) Default_NsJailConfig_Silent = bool(false) Default_NsJailConfig_SkipSetsid = bool(false) Default_NsJailConfig_StderrToNull = bool(false) Default_NsJailConfig_DisableNoNewPrivs = bool(false) Default_NsJailConfig_RlimitAs = uint64(512) Default_NsJailConfig_RlimitAsType = RLimit_VALUE Default_NsJailConfig_RlimitCore = uint64(0) Default_NsJailConfig_RlimitCoreType = RLimit_VALUE Default_NsJailConfig_RlimitCpu = uint64(600) Default_NsJailConfig_RlimitCpuType = RLimit_VALUE Default_NsJailConfig_RlimitFsize = uint64(1) Default_NsJailConfig_RlimitFsizeType = RLimit_VALUE Default_NsJailConfig_RlimitNofile = uint64(32) Default_NsJailConfig_RlimitNofileType = RLimit_VALUE Default_NsJailConfig_RlimitNproc = uint64(1024) Default_NsJailConfig_RlimitNprocType = RLimit_SOFT Default_NsJailConfig_RlimitStack = uint64(1048576) Default_NsJailConfig_RlimitStackType = RLimit_SOFT Default_NsJailConfig_PersonaAddrCompatLayout = bool(false) Default_NsJailConfig_PersonaMmapPageZero = bool(false) Default_NsJailConfig_PersonaReadImpliesExec = bool(false) Default_NsJailConfig_PersonaAddrLimit_3Gb = bool(false) Default_NsJailConfig_PersonaAddrNoRandomize = bool(false) Default_NsJailConfig_CloneNewnet = bool(true) Default_NsJailConfig_CloneNewuser = bool(true) Default_NsJailConfig_CloneNewns = bool(true) Default_NsJailConfig_CloneNewpid = bool(true) Default_NsJailConfig_CloneNewipc = bool(true) Default_NsJailConfig_CloneNewuts = bool(true) Default_NsJailConfig_CloneNewcgroup = bool(true) Default_NsJailConfig_MountProc = bool(false) Default_NsJailConfig_SeccompLog = bool(false) Default_NsJailConfig_CgroupMemMax = uint64(0) Default_NsJailConfig_CgroupMemMount = string("/sys/fs/cgroup/memory") Default_NsJailConfig_CgroupMemParent = string("NSJAIL") Default_NsJailConfig_CgroupPidsMax = uint64(0) Default_NsJailConfig_CgroupPidsMount = string("/sys/fs/cgroup/pids") Default_NsJailConfig_CgroupPidsParent = string("NSJAIL") Default_NsJailConfig_CgroupNetClsClassid = uint32(0) Default_NsJailConfig_CgroupNetClsMount = string("/sys/fs/cgroup/net_cls") Default_NsJailConfig_CgroupNetClsParent = string("NSJAIL") Default_NsJailConfig_CgroupCpuMsPerSec = uint32(0) Default_NsJailConfig_CgroupCpuMount = string("/sys/fs/cgroup/cpu") Default_NsJailConfig_CgroupCpuParent = string("NSJAIL") Default_NsJailConfig_IfaceNoLo = bool(false) Default_NsJailConfig_MacvlanVsIp = string("192.168.0.2") Default_NsJailConfig_MacvlanVsNm = string("255.255.255.0") Default_NsJailConfig_MacvlanVsGw = string("192.168.0.1") Default_NsJailConfig_MacvlanVsMa = string("") )
Default values for NsJailConfig fields.
View Source
const (
Default_Exe_ExecFd = bool(false)
)
Default values for Exe fields.
Variables ¶
View Source
var ( Mode_name = map[int32]string{ 0: "LISTEN", 1: "ONCE", 2: "RERUN", 3: "EXECVE", } Mode_value = map[string]int32{ "LISTEN": 0, "ONCE": 1, "RERUN": 2, "EXECVE": 3, } )
Enum value maps for Mode.
View Source
var ( LogLevel_name = map[int32]string{ 0: "DEBUG", 1: "INFO", 2: "WARNING", 3: "ERROR", 4: "FATAL", } LogLevel_value = map[string]int32{ "DEBUG": 0, "INFO": 1, "WARNING": 2, "ERROR": 3, "FATAL": 4, } )
Enum value maps for LogLevel.
View Source
var ( RLimit_name = map[int32]string{ 0: "VALUE", 1: "SOFT", 2: "HARD", 3: "INF", } RLimit_value = map[string]int32{ "VALUE": 0, "SOFT": 1, "HARD": 2, "INF": 3, } )
Enum value maps for RLimit.
View Source
var (
Default_MountPt_SrcContent = []byte("")
)
Default values for MountPt fields.
View Source
var File_nsjail_config_proto protoreflect.FileDescriptor
Functions ¶
This section is empty.
Types ¶
type Exe ¶
type Exe struct { // Will be used both as execv's path and as argv[0] Path *string `protobuf:"bytes,1,req,name=path" json:"path,omitempty"` // This will be argv[1] and so on.. Arg []string `protobuf:"bytes,2,rep,name=arg" json:"arg,omitempty"` // Override argv[0] Arg0 *string `protobuf:"bytes,3,opt,name=arg0" json:"arg0,omitempty"` // Should execveat() be used to execute a file-descriptor instead? ExecFd *bool `protobuf:"varint,4,opt,name=exec_fd,json=execFd,def=0" json:"exec_fd,omitempty"` // contains filtered or unexported fields }
func (*Exe) Descriptor
deprecated
func (*Exe) ProtoMessage ¶
func (*Exe) ProtoMessage()
func (*Exe) ProtoReflect ¶ added in v0.0.12
func (x *Exe) ProtoReflect() protoreflect.Message
type IdMap ¶
type IdMap struct { // Empty string means "current uid/gid" InsideId *string `protobuf:"bytes,1,opt,name=inside_id,json=insideId,def=" json:"inside_id,omitempty"` OutsideId *string `protobuf:"bytes,2,opt,name=outside_id,json=outsideId,def=" json:"outside_id,omitempty"` // See 'man user_namespaces' for the meaning of count Count *uint32 `protobuf:"varint,3,opt,name=count,def=1" json:"count,omitempty"` // Does this map use /usr/bin/new[u|g]idmap binary? UseNewidmap *bool `protobuf:"varint,4,opt,name=use_newidmap,json=useNewidmap,def=0" json:"use_newidmap,omitempty"` // contains filtered or unexported fields }
func (*IdMap) Descriptor
deprecated
func (*IdMap) GetInsideId ¶
func (*IdMap) GetOutsideId ¶
func (*IdMap) GetUseNewidmap ¶
func (*IdMap) ProtoMessage ¶
func (*IdMap) ProtoMessage()
func (*IdMap) ProtoReflect ¶ added in v0.0.12
func (x *IdMap) ProtoReflect() protoreflect.Message
type LogLevel ¶
type LogLevel int32
Should be self explanatory
func (LogLevel) Descriptor ¶ added in v0.0.12
func (LogLevel) Descriptor() protoreflect.EnumDescriptor
func (LogLevel) EnumDescriptor
deprecated
func (LogLevel) Number ¶ added in v0.0.12
func (x LogLevel) Number() protoreflect.EnumNumber
func (LogLevel) Type ¶ added in v0.0.12
func (LogLevel) Type() protoreflect.EnumType
func (*LogLevel) UnmarshalJSON
deprecated
type Mode ¶
type Mode int32
func (Mode) Descriptor ¶ added in v0.0.12
func (Mode) Descriptor() protoreflect.EnumDescriptor
func (Mode) EnumDescriptor
deprecated
func (Mode) Number ¶ added in v0.0.12
func (x Mode) Number() protoreflect.EnumNumber
func (Mode) Type ¶ added in v0.0.12
func (Mode) Type() protoreflect.EnumType
func (*Mode) UnmarshalJSON
deprecated
type MountPt ¶
type MountPt struct { // Can be skipped for filesystems like 'proc' Src *string `protobuf:"bytes,1,opt,name=src,def=" json:"src,omitempty"` // Should 'src' path be prefixed with this envvar? PrefixSrcEnv *string `protobuf:"bytes,2,opt,name=prefix_src_env,json=prefixSrcEnv,def=" json:"prefix_src_env,omitempty"` // If specified, contains buffer that will be written to the dst file SrcContent []byte `protobuf:"bytes,3,opt,name=src_content,json=srcContent,def=" json:"src_content,omitempty"` // Mount point inside jail Dst *string `protobuf:"bytes,4,req,name=dst,def=" json:"dst,omitempty"` // Should 'dst' path be prefixed with this envvar? PrefixDstEnv *string `protobuf:"bytes,5,opt,name=prefix_dst_env,json=prefixDstEnv,def=" json:"prefix_dst_env,omitempty"` // Can be empty for mount --bind mounts Fstype *string `protobuf:"bytes,6,opt,name=fstype,def=" json:"fstype,omitempty"` // E.g. size=5000000 for 'tmpfs' Options *string `protobuf:"bytes,7,opt,name=options,def=" json:"options,omitempty"` // Is it a 'mount --bind src dst' type of mount? IsBind *bool `protobuf:"varint,8,opt,name=is_bind,json=isBind,def=0" json:"is_bind,omitempty"` // Is it a R/W mount? Rw *bool `protobuf:"varint,9,opt,name=rw,def=0" json:"rw,omitempty"` // Is it a directory? If not specified an internal //heuristics will be used to determine that IsDir *bool `protobuf:"varint,10,opt,name=is_dir,json=isDir" json:"is_dir,omitempty"` // Should the sandboxing fail if we cannot mount this resource? Mandatory *bool `protobuf:"varint,11,opt,name=mandatory,def=1" json:"mandatory,omitempty"` // Is it a symlink (instead of real mount point)? IsSymlink *bool `protobuf:"varint,12,opt,name=is_symlink,json=isSymlink,def=0" json:"is_symlink,omitempty"` // Is it a nosuid mount Nosuid *bool `protobuf:"varint,13,opt,name=nosuid,def=0" json:"nosuid,omitempty"` // Is it a nodev mount Nodev *bool `protobuf:"varint,14,opt,name=nodev,def=0" json:"nodev,omitempty"` // Is it a noexec mount Noexec *bool `protobuf:"varint,15,opt,name=noexec,def=0" json:"noexec,omitempty"` // contains filtered or unexported fields }
func (*MountPt) Descriptor
deprecated
func (*MountPt) GetIsSymlink ¶
func (*MountPt) GetMandatory ¶
func (*MountPt) GetOptions ¶
func (*MountPt) GetPrefixDstEnv ¶
func (*MountPt) GetPrefixSrcEnv ¶
func (*MountPt) GetSrcContent ¶
func (*MountPt) ProtoMessage ¶
func (*MountPt) ProtoMessage()
func (*MountPt) ProtoReflect ¶ added in v0.0.12
func (x *MountPt) ProtoReflect() protoreflect.Message
type NsJailConfig ¶
type NsJailConfig struct { // Optional name and description for this config Name *string `protobuf:"bytes,1,opt,name=name,def=" json:"name,omitempty"` Description []string `protobuf:"bytes,2,rep,name=description" json:"description,omitempty"` // Execution mode: see 'msg Mode' description for more Mode *Mode `protobuf:"varint,3,opt,name=mode,enum=nsjail.Mode,def=1" json:"mode,omitempty"` // Equivalent to a bind mount with dst='/'. DEPRECATED: Use bind mounts. // Deprecated: Do not use. ChrootDir *string `protobuf:"bytes,4,opt,name=chroot_dir,json=chrootDir" json:"chroot_dir,omitempty"` // Applies both to the chroot_dir and to /proc mounts. DEPRECATED: Use bind mounts // Deprecated: Do not use. IsRootRw *bool `protobuf:"varint,5,opt,name=is_root_rw,json=isRootRw,def=0" json:"is_root_rw,omitempty"` // Hostname inside jail Hostname *string `protobuf:"bytes,8,opt,name=hostname,def=NSJAIL" json:"hostname,omitempty"` // Initial current working directory for the binary Cwd *string `protobuf:"bytes,9,opt,name=cwd,def=/" json:"cwd,omitempty"` // TCP port to listen to. Valid with mode=LISTEN only Port *uint32 `protobuf:"varint,10,opt,name=port,def=0" json:"port,omitempty"` // Host to bind to for mode=LISTEN. Must be in IPv6 format Bindhost *string `protobuf:"bytes,11,opt,name=bindhost,def=::" json:"bindhost,omitempty"` // For mode=LISTEN, maximum number of connections from a single IP MaxConnsPerIp *uint32 `protobuf:"varint,12,opt,name=max_conns_per_ip,json=maxConnsPerIp,def=0" json:"max_conns_per_ip,omitempty"` // Wall-time time limit for commands TimeLimit *uint32 `protobuf:"varint,13,opt,name=time_limit,json=timeLimit,def=600" json:"time_limit,omitempty"` // Should nsjail go into background? Daemon *bool `protobuf:"varint,14,opt,name=daemon,def=0" json:"daemon,omitempty"` // Maximum number of CPUs to use: 0 - no limit MaxCpus *uint32 `protobuf:"varint,15,opt,name=max_cpus,json=maxCpus,def=0" json:"max_cpus,omitempty"` // FD to log to. LogFd *int32 `protobuf:"varint,16,opt,name=log_fd,json=logFd" json:"log_fd,omitempty"` // File to save lofs to LogFile *string `protobuf:"bytes,17,opt,name=log_file,json=logFile" json:"log_file,omitempty"` // Minimum log level displayed. //See 'msg LogLevel' description for more LogLevel *LogLevel `protobuf:"varint,18,opt,name=log_level,json=logLevel,enum=nsjail.LogLevel" json:"log_level,omitempty"` // Should the current environment variables be kept //when executing the binary KeepEnv *bool `protobuf:"varint,19,opt,name=keep_env,json=keepEnv,def=0" json:"keep_env,omitempty"` // EnvVars to be set before executing binaries. If the envvar doesn't contain '=' //(e.g. just the 'DISPLAY' string), the current envvar value will be used Envar []string `protobuf:"bytes,20,rep,name=envar" json:"envar,omitempty"` // Should capabilities be preserved or dropped KeepCaps *bool `protobuf:"varint,21,opt,name=keep_caps,json=keepCaps,def=0" json:"keep_caps,omitempty"` // Which capabilities should be preserved if keep_caps == false. //Format: "CAP_SYS_PTRACE" Cap []string `protobuf:"bytes,22,rep,name=cap" json:"cap,omitempty"` // Should nsjail close FD=0,1,2 before executing the process Silent *bool `protobuf:"varint,23,opt,name=silent,def=0" json:"silent,omitempty"` // Should the child process have control over terminal? //Can be useful to allow /bin/sh to provide //job control / signals. Dangerous, can be used to put //characters into the controlling terminal back SkipSetsid *bool `protobuf:"varint,24,opt,name=skip_setsid,json=skipSetsid,def=0" json:"skip_setsid,omitempty"` // Redirect sdterr of the process to /dev/null instead of the socket or original TTY StderrToNull *bool `protobuf:"varint,25,opt,name=stderr_to_null,json=stderrToNull,def=0" json:"stderr_to_null,omitempty"` // Which FDs should be passed to the newly executed process //By default only FD=0,1,2 are passed PassFd []int32 `protobuf:"varint,26,rep,name=pass_fd,json=passFd" json:"pass_fd,omitempty"` // Setting it to true will allow to have set-uid binaries //inside the jail DisableNoNewPrivs *bool `protobuf:"varint,27,opt,name=disable_no_new_privs,json=disableNoNewPrivs,def=0" json:"disable_no_new_privs,omitempty"` // Various rlimits, the rlimit_as/rlimit_core/... are used only if //rlimit_as_type/rlimit_core_type/... are set to RLimit::VALUE RlimitAs *uint64 `protobuf:"varint,28,opt,name=rlimit_as,json=rlimitAs,def=512" json:"rlimit_as,omitempty"` // In MiB RlimitAsType *RLimit `protobuf:"varint,29,opt,name=rlimit_as_type,json=rlimitAsType,enum=nsjail.RLimit,def=0" json:"rlimit_as_type,omitempty"` RlimitCore *uint64 `protobuf:"varint,30,opt,name=rlimit_core,json=rlimitCore,def=0" json:"rlimit_core,omitempty"` // In MiB RlimitCoreType *RLimit `protobuf:"varint,31,opt,name=rlimit_core_type,json=rlimitCoreType,enum=nsjail.RLimit,def=0" json:"rlimit_core_type,omitempty"` RlimitCpu *uint64 `protobuf:"varint,32,opt,name=rlimit_cpu,json=rlimitCpu,def=600" json:"rlimit_cpu,omitempty"` // In seconds RlimitCpuType *RLimit `protobuf:"varint,33,opt,name=rlimit_cpu_type,json=rlimitCpuType,enum=nsjail.RLimit,def=0" json:"rlimit_cpu_type,omitempty"` RlimitFsize *uint64 `protobuf:"varint,34,opt,name=rlimit_fsize,json=rlimitFsize,def=1" json:"rlimit_fsize,omitempty"` // In MiB RlimitFsizeType *RLimit `` /* 128-byte string literal not displayed */ RlimitNofile *uint64 `protobuf:"varint,36,opt,name=rlimit_nofile,json=rlimitNofile,def=32" json:"rlimit_nofile,omitempty"` RlimitNofileType *RLimit `` /* 131-byte string literal not displayed */ // RLIMIT_NPROC is system-wide - tricky to use; use the soft limit value by // default here RlimitNproc *uint64 `protobuf:"varint,38,opt,name=rlimit_nproc,json=rlimitNproc,def=1024" json:"rlimit_nproc,omitempty"` RlimitNprocType *RLimit `` /* 128-byte string literal not displayed */ // In MiB, use the soft limit value by default RlimitStack *uint64 `protobuf:"varint,40,opt,name=rlimit_stack,json=rlimitStack,def=1048576" json:"rlimit_stack,omitempty"` RlimitStackType *RLimit `` /* 128-byte string literal not displayed */ // See 'man personality' for more PersonaAddrCompatLayout *bool `` /* 135-byte string literal not displayed */ PersonaMmapPageZero *bool `protobuf:"varint,43,opt,name=persona_mmap_page_zero,json=personaMmapPageZero,def=0" json:"persona_mmap_page_zero,omitempty"` PersonaReadImpliesExec *bool `` /* 132-byte string literal not displayed */ PersonaAddrLimit_3Gb *bool `protobuf:"varint,45,opt,name=persona_addr_limit_3gb,json=personaAddrLimit3gb,def=0" json:"persona_addr_limit_3gb,omitempty"` PersonaAddrNoRandomize *bool `` /* 132-byte string literal not displayed */ // Which name-spaces should be used? CloneNewnet *bool `protobuf:"varint,47,opt,name=clone_newnet,json=cloneNewnet,def=1" json:"clone_newnet,omitempty"` CloneNewuser *bool `protobuf:"varint,48,opt,name=clone_newuser,json=cloneNewuser,def=1" json:"clone_newuser,omitempty"` CloneNewns *bool `protobuf:"varint,49,opt,name=clone_newns,json=cloneNewns,def=1" json:"clone_newns,omitempty"` CloneNewpid *bool `protobuf:"varint,50,opt,name=clone_newpid,json=cloneNewpid,def=1" json:"clone_newpid,omitempty"` CloneNewipc *bool `protobuf:"varint,51,opt,name=clone_newipc,json=cloneNewipc,def=1" json:"clone_newipc,omitempty"` CloneNewuts *bool `protobuf:"varint,52,opt,name=clone_newuts,json=cloneNewuts,def=1" json:"clone_newuts,omitempty"` // Disable for kernel versions < 4.6 as it's not supported there CloneNewcgroup *bool `protobuf:"varint,53,opt,name=clone_newcgroup,json=cloneNewcgroup,def=1" json:"clone_newcgroup,omitempty"` // Mappings for UIDs and GIDs. See the description for 'msg IdMap' //for more Uidmap []*IdMap `protobuf:"bytes,54,rep,name=uidmap" json:"uidmap,omitempty"` Gidmap []*IdMap `protobuf:"bytes,55,rep,name=gidmap" json:"gidmap,omitempty"` // Should /proc be mounted (R/O)? This can also be added in the 'mount' //section below MountProc *bool `protobuf:"varint,56,opt,name=mount_proc,json=mountProc,def=0" json:"mount_proc,omitempty"` // Mount points inside the jail. See the description for 'msg MountPt' //for more Mount []*MountPt `protobuf:"bytes,57,rep,name=mount" json:"mount,omitempty"` // Kafel seccomp-bpf policy file or a string: //Homepage of the project: https://github.com/google/kafel SeccompPolicyFile *string `protobuf:"bytes,58,opt,name=seccomp_policy_file,json=seccompPolicyFile" json:"seccomp_policy_file,omitempty"` SeccompString []string `protobuf:"bytes,59,rep,name=seccomp_string,json=seccompString" json:"seccomp_string,omitempty"` // Setting it to true makes audit write seccomp logs to dmesg SeccompLog *bool `protobuf:"varint,60,opt,name=seccomp_log,json=seccompLog,def=0" json:"seccomp_log,omitempty"` // If > 0, maximum cumulative size of RAM used inside any jail CgroupMemMax *uint64 `protobuf:"varint,61,opt,name=cgroup_mem_max,json=cgroupMemMax,def=0" json:"cgroup_mem_max,omitempty"` // In MiB // Mount point for cgroups-memory in your system CgroupMemMount *string `protobuf:"bytes,62,opt,name=cgroup_mem_mount,json=cgroupMemMount,def=/sys/fs/cgroup/memory" json:"cgroup_mem_mount,omitempty"` // Writeable directory (for the nsjail user) under cgroup_mem_mount CgroupMemParent *string `protobuf:"bytes,63,opt,name=cgroup_mem_parent,json=cgroupMemParent,def=NSJAIL" json:"cgroup_mem_parent,omitempty"` // If > 0, maximum number of PIDs (threads/processes) inside jail CgroupPidsMax *uint64 `protobuf:"varint,64,opt,name=cgroup_pids_max,json=cgroupPidsMax,def=0" json:"cgroup_pids_max,omitempty"` // Mount point for cgroups-pids in your system CgroupPidsMount *string `` /* 126-byte string literal not displayed */ // Writeable directory (for the nsjail user) under cgroup_pids_mount CgroupPidsParent *string `protobuf:"bytes,66,opt,name=cgroup_pids_parent,json=cgroupPidsParent,def=NSJAIL" json:"cgroup_pids_parent,omitempty"` // If > 0, Class identifier of network packets inside jail CgroupNetClsClassid *uint32 `protobuf:"varint,67,opt,name=cgroup_net_cls_classid,json=cgroupNetClsClassid,def=0" json:"cgroup_net_cls_classid,omitempty"` // Mount point for cgroups-net-cls in your system CgroupNetClsMount *string `` /* 137-byte string literal not displayed */ // Writeable directory (for the nsjail user) under cgroup_net_mount CgroupNetClsParent *string `protobuf:"bytes,69,opt,name=cgroup_net_cls_parent,json=cgroupNetClsParent,def=NSJAIL" json:"cgroup_net_cls_parent,omitempty"` // If > 0 number of milliseconds of CPU that jail processes can use per each second CgroupCpuMsPerSec *uint32 `protobuf:"varint,70,opt,name=cgroup_cpu_ms_per_sec,json=cgroupCpuMsPerSec,def=0" json:"cgroup_cpu_ms_per_sec,omitempty"` // Mount point for cgroups-cpu in your system CgroupCpuMount *string `protobuf:"bytes,71,opt,name=cgroup_cpu_mount,json=cgroupCpuMount,def=/sys/fs/cgroup/cpu" json:"cgroup_cpu_mount,omitempty"` // Writeable directory (for the nsjail user) under cgroup_cpu_mount CgroupCpuParent *string `protobuf:"bytes,72,opt,name=cgroup_cpu_parent,json=cgroupCpuParent,def=NSJAIL" json:"cgroup_cpu_parent,omitempty"` // Should the 'lo' interface be brought up (active) inside this jail? IfaceNoLo *bool `protobuf:"varint,73,opt,name=iface_no_lo,json=ifaceNoLo,def=0" json:"iface_no_lo,omitempty"` // Put this interface inside the jail IfaceOwn []string `protobuf:"bytes,74,rep,name=iface_own,json=ifaceOwn" json:"iface_own,omitempty"` // Parameters for the cloned MACVLAN interface inside jail MacvlanIface *string `protobuf:"bytes,75,opt,name=macvlan_iface,json=macvlanIface" json:"macvlan_iface,omitempty"` // Interface to be cloned, eg 'eth0' MacvlanVsIp *string `protobuf:"bytes,76,opt,name=macvlan_vs_ip,json=macvlanVsIp,def=192.168.0.2" json:"macvlan_vs_ip,omitempty"` MacvlanVsNm *string `protobuf:"bytes,77,opt,name=macvlan_vs_nm,json=macvlanVsNm,def=255.255.255.0" json:"macvlan_vs_nm,omitempty"` MacvlanVsGw *string `protobuf:"bytes,78,opt,name=macvlan_vs_gw,json=macvlanVsGw,def=192.168.0.1" json:"macvlan_vs_gw,omitempty"` MacvlanVsMa *string `protobuf:"bytes,79,opt,name=macvlan_vs_ma,json=macvlanVsMa,def=" json:"macvlan_vs_ma,omitempty"` // Binary path (with arguments) to be executed. If not specified here, it //can be specified with cmd-line as "-- /path/to/command arg1 arg2" ExecBin *Exe `protobuf:"bytes,80,opt,name=exec_bin,json=execBin" json:"exec_bin,omitempty"` // contains filtered or unexported fields }
func (*NsJailConfig) Descriptor
deprecated
func (*NsJailConfig) Descriptor() ([]byte, []int)
Deprecated: Use NsJailConfig.ProtoReflect.Descriptor instead.
func (*NsJailConfig) GetBindhost ¶
func (x *NsJailConfig) GetBindhost() string
func (*NsJailConfig) GetCap ¶
func (x *NsJailConfig) GetCap() []string
func (*NsJailConfig) GetCgroupCpuMount ¶
func (x *NsJailConfig) GetCgroupCpuMount() string
func (*NsJailConfig) GetCgroupCpuMsPerSec ¶
func (x *NsJailConfig) GetCgroupCpuMsPerSec() uint32
func (*NsJailConfig) GetCgroupCpuParent ¶
func (x *NsJailConfig) GetCgroupCpuParent() string
func (*NsJailConfig) GetCgroupMemMax ¶
func (x *NsJailConfig) GetCgroupMemMax() uint64
func (*NsJailConfig) GetCgroupMemMount ¶
func (x *NsJailConfig) GetCgroupMemMount() string
func (*NsJailConfig) GetCgroupMemParent ¶
func (x *NsJailConfig) GetCgroupMemParent() string
func (*NsJailConfig) GetCgroupNetClsClassid ¶
func (x *NsJailConfig) GetCgroupNetClsClassid() uint32
func (*NsJailConfig) GetCgroupNetClsMount ¶
func (x *NsJailConfig) GetCgroupNetClsMount() string
func (*NsJailConfig) GetCgroupNetClsParent ¶
func (x *NsJailConfig) GetCgroupNetClsParent() string
func (*NsJailConfig) GetCgroupPidsMax ¶
func (x *NsJailConfig) GetCgroupPidsMax() uint64
func (*NsJailConfig) GetCgroupPidsMount ¶
func (x *NsJailConfig) GetCgroupPidsMount() string
func (*NsJailConfig) GetCgroupPidsParent ¶
func (x *NsJailConfig) GetCgroupPidsParent() string
func (*NsJailConfig) GetChrootDir
deprecated
func (x *NsJailConfig) GetChrootDir() string
Deprecated: Do not use.
func (*NsJailConfig) GetCloneNewcgroup ¶
func (x *NsJailConfig) GetCloneNewcgroup() bool
func (*NsJailConfig) GetCloneNewipc ¶
func (x *NsJailConfig) GetCloneNewipc() bool
func (*NsJailConfig) GetCloneNewnet ¶
func (x *NsJailConfig) GetCloneNewnet() bool
func (*NsJailConfig) GetCloneNewns ¶
func (x *NsJailConfig) GetCloneNewns() bool
func (*NsJailConfig) GetCloneNewpid ¶
func (x *NsJailConfig) GetCloneNewpid() bool
func (*NsJailConfig) GetCloneNewuser ¶
func (x *NsJailConfig) GetCloneNewuser() bool
func (*NsJailConfig) GetCloneNewuts ¶
func (x *NsJailConfig) GetCloneNewuts() bool
func (*NsJailConfig) GetCwd ¶
func (x *NsJailConfig) GetCwd() string
func (*NsJailConfig) GetDaemon ¶
func (x *NsJailConfig) GetDaemon() bool
func (*NsJailConfig) GetDescription ¶
func (x *NsJailConfig) GetDescription() []string
func (*NsJailConfig) GetDisableNoNewPrivs ¶
func (x *NsJailConfig) GetDisableNoNewPrivs() bool
func (*NsJailConfig) GetEnvar ¶
func (x *NsJailConfig) GetEnvar() []string
func (*NsJailConfig) GetExecBin ¶
func (x *NsJailConfig) GetExecBin() *Exe
func (*NsJailConfig) GetGidmap ¶
func (x *NsJailConfig) GetGidmap() []*IdMap
func (*NsJailConfig) GetHostname ¶
func (x *NsJailConfig) GetHostname() string
func (*NsJailConfig) GetIfaceNoLo ¶
func (x *NsJailConfig) GetIfaceNoLo() bool
func (*NsJailConfig) GetIfaceOwn ¶
func (x *NsJailConfig) GetIfaceOwn() []string
func (*NsJailConfig) GetIsRootRw
deprecated
func (x *NsJailConfig) GetIsRootRw() bool
Deprecated: Do not use.
func (*NsJailConfig) GetKeepCaps ¶
func (x *NsJailConfig) GetKeepCaps() bool
func (*NsJailConfig) GetKeepEnv ¶
func (x *NsJailConfig) GetKeepEnv() bool
func (*NsJailConfig) GetLogFd ¶
func (x *NsJailConfig) GetLogFd() int32
func (*NsJailConfig) GetLogFile ¶
func (x *NsJailConfig) GetLogFile() string
func (*NsJailConfig) GetLogLevel ¶
func (x *NsJailConfig) GetLogLevel() LogLevel
func (*NsJailConfig) GetMacvlanIface ¶
func (x *NsJailConfig) GetMacvlanIface() string
func (*NsJailConfig) GetMacvlanVsGw ¶
func (x *NsJailConfig) GetMacvlanVsGw() string
func (*NsJailConfig) GetMacvlanVsIp ¶
func (x *NsJailConfig) GetMacvlanVsIp() string
func (*NsJailConfig) GetMacvlanVsMa ¶
func (x *NsJailConfig) GetMacvlanVsMa() string
func (*NsJailConfig) GetMacvlanVsNm ¶
func (x *NsJailConfig) GetMacvlanVsNm() string
func (*NsJailConfig) GetMaxConnsPerIp ¶
func (x *NsJailConfig) GetMaxConnsPerIp() uint32
func (*NsJailConfig) GetMaxCpus ¶
func (x *NsJailConfig) GetMaxCpus() uint32
func (*NsJailConfig) GetMode ¶
func (x *NsJailConfig) GetMode() Mode
func (*NsJailConfig) GetMount ¶
func (x *NsJailConfig) GetMount() []*MountPt
func (*NsJailConfig) GetMountProc ¶
func (x *NsJailConfig) GetMountProc() bool
func (*NsJailConfig) GetName ¶
func (x *NsJailConfig) GetName() string
func (*NsJailConfig) GetPassFd ¶
func (x *NsJailConfig) GetPassFd() []int32
func (*NsJailConfig) GetPersonaAddrCompatLayout ¶
func (x *NsJailConfig) GetPersonaAddrCompatLayout() bool
func (*NsJailConfig) GetPersonaAddrLimit_3Gb ¶
func (x *NsJailConfig) GetPersonaAddrLimit_3Gb() bool
func (*NsJailConfig) GetPersonaAddrNoRandomize ¶
func (x *NsJailConfig) GetPersonaAddrNoRandomize() bool
func (*NsJailConfig) GetPersonaMmapPageZero ¶
func (x *NsJailConfig) GetPersonaMmapPageZero() bool
func (*NsJailConfig) GetPersonaReadImpliesExec ¶
func (x *NsJailConfig) GetPersonaReadImpliesExec() bool
func (*NsJailConfig) GetPort ¶
func (x *NsJailConfig) GetPort() uint32
func (*NsJailConfig) GetRlimitAs ¶
func (x *NsJailConfig) GetRlimitAs() uint64
func (*NsJailConfig) GetRlimitAsType ¶
func (x *NsJailConfig) GetRlimitAsType() RLimit
func (*NsJailConfig) GetRlimitCore ¶
func (x *NsJailConfig) GetRlimitCore() uint64
func (*NsJailConfig) GetRlimitCoreType ¶
func (x *NsJailConfig) GetRlimitCoreType() RLimit
func (*NsJailConfig) GetRlimitCpu ¶
func (x *NsJailConfig) GetRlimitCpu() uint64
func (*NsJailConfig) GetRlimitCpuType ¶
func (x *NsJailConfig) GetRlimitCpuType() RLimit
func (*NsJailConfig) GetRlimitFsize ¶
func (x *NsJailConfig) GetRlimitFsize() uint64
func (*NsJailConfig) GetRlimitFsizeType ¶
func (x *NsJailConfig) GetRlimitFsizeType() RLimit
func (*NsJailConfig) GetRlimitNofile ¶
func (x *NsJailConfig) GetRlimitNofile() uint64
func (*NsJailConfig) GetRlimitNofileType ¶
func (x *NsJailConfig) GetRlimitNofileType() RLimit
func (*NsJailConfig) GetRlimitNproc ¶
func (x *NsJailConfig) GetRlimitNproc() uint64
func (*NsJailConfig) GetRlimitNprocType ¶
func (x *NsJailConfig) GetRlimitNprocType() RLimit
func (*NsJailConfig) GetRlimitStack ¶
func (x *NsJailConfig) GetRlimitStack() uint64
func (*NsJailConfig) GetRlimitStackType ¶
func (x *NsJailConfig) GetRlimitStackType() RLimit
func (*NsJailConfig) GetSeccompLog ¶
func (x *NsJailConfig) GetSeccompLog() bool
func (*NsJailConfig) GetSeccompPolicyFile ¶
func (x *NsJailConfig) GetSeccompPolicyFile() string
func (*NsJailConfig) GetSeccompString ¶
func (x *NsJailConfig) GetSeccompString() []string
func (*NsJailConfig) GetSilent ¶
func (x *NsJailConfig) GetSilent() bool
func (*NsJailConfig) GetSkipSetsid ¶
func (x *NsJailConfig) GetSkipSetsid() bool
func (*NsJailConfig) GetStderrToNull ¶
func (x *NsJailConfig) GetStderrToNull() bool
func (*NsJailConfig) GetTimeLimit ¶
func (x *NsJailConfig) GetTimeLimit() uint32
func (*NsJailConfig) GetUidmap ¶
func (x *NsJailConfig) GetUidmap() []*IdMap
func (*NsJailConfig) ProtoMessage ¶
func (*NsJailConfig) ProtoMessage()
func (*NsJailConfig) ProtoReflect ¶ added in v0.0.12
func (x *NsJailConfig) ProtoReflect() protoreflect.Message
func (*NsJailConfig) Reset ¶
func (x *NsJailConfig) Reset()
func (*NsJailConfig) String ¶
func (x *NsJailConfig) String() string
type RLimit ¶
type RLimit int32
func (RLimit) Descriptor ¶ added in v0.0.12
func (RLimit) Descriptor() protoreflect.EnumDescriptor
func (RLimit) EnumDescriptor
deprecated
func (RLimit) Number ¶ added in v0.0.12
func (x RLimit) Number() protoreflect.EnumNumber
func (RLimit) Type ¶ added in v0.0.12
func (RLimit) Type() protoreflect.EnumType
func (*RLimit) UnmarshalJSON
deprecated
Click to show internal directories.
Click to hide internal directories.