nsjail

package
v0.0.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 26, 2019 License: BSD-3-Clause Imports: 3 Imported by: 0

README

nsjail config proto

protobuf schema for nsjail (GitHub). This is used for providing hermetic build environment with arbitrary toolchain support.

How to update the file?

  1. git clone
$ git clone https://github.com/google/nsjail.git
  1. copy config.proto file.
$ cp nsjail/config.proto .

Documentation

Index

Constants

View Source 
const Default_Exe_ExecFd bool = false
View Source 
const Default_IdMap_Count uint32 = 1
View Source 
const Default_IdMap_UseNewidmap bool = false
View Source 
const Default_MountPt_IsBind bool = false
View Source 
const Default_MountPt_IsSymlink bool = false
View Source 
const Default_MountPt_Mandatory bool = true
View Source 
const Default_MountPt_Nodev bool = false
View Source 
const Default_MountPt_Noexec bool = false
View Source 
const Default_MountPt_Nosuid bool = false
View Source 
const Default_MountPt_Rw bool = false
View Source 
const Default_NsJailConfig_Bindhost string = "::"
View Source 
const Default_NsJailConfig_CgroupCpuMount string = "/sys/fs/cgroup/cpu"
View Source 
const Default_NsJailConfig_CgroupCpuMsPerSec uint32 = 0
View Source 
const Default_NsJailConfig_CgroupCpuParent string = "NSJAIL"
View Source 
const Default_NsJailConfig_CgroupMemMax uint64 = 0
View Source 
const Default_NsJailConfig_CgroupMemMount string = "/sys/fs/cgroup/memory"
View Source 
const Default_NsJailConfig_CgroupMemParent string = "NSJAIL"
View Source 
const Default_NsJailConfig_CgroupNetClsClassid uint32 = 0
View Source 
const Default_NsJailConfig_CgroupNetClsMount string = "/sys/fs/cgroup/net_cls"
View Source 
const Default_NsJailConfig_CgroupNetClsParent string = "NSJAIL"
View Source 
const Default_NsJailConfig_CgroupPidsMax uint64 = 0
View Source 
const Default_NsJailConfig_CgroupPidsMount string = "/sys/fs/cgroup/pids"
View Source 
const Default_NsJailConfig_CgroupPidsParent string = "NSJAIL"
View Source 
const Default_NsJailConfig_CloneNewcgroup bool = true
View Source 
const Default_NsJailConfig_CloneNewipc bool = true
View Source 
const Default_NsJailConfig_CloneNewnet bool = true
View Source 
const Default_NsJailConfig_CloneNewns bool = true
View Source 
const Default_NsJailConfig_CloneNewpid bool = true
View Source 
const Default_NsJailConfig_CloneNewuser bool = true
View Source 
const Default_NsJailConfig_CloneNewuts bool = true
View Source 
const Default_NsJailConfig_Cwd string = "/"
View Source 
const Default_NsJailConfig_Daemon bool = false
View Source 
const Default_NsJailConfig_DisableNoNewPrivs bool = false
View Source 
const Default_NsJailConfig_Hostname string = "NSJAIL"
View Source 
const Default_NsJailConfig_IfaceNoLo bool = false
View Source 
const Default_NsJailConfig_IsRootRw bool = false
View Source 
const Default_NsJailConfig_KeepCaps bool = false
View Source 
const Default_NsJailConfig_KeepEnv bool = false
View Source 
const Default_NsJailConfig_MacvlanVsGw string = "192.168.0.1"
View Source 
const Default_NsJailConfig_MacvlanVsIp string = "192.168.0.2"
View Source 
const Default_NsJailConfig_MacvlanVsNm string = "255.255.255.0"
View Source 
const Default_NsJailConfig_MaxConnsPerIp uint32 = 0
View Source 
const Default_NsJailConfig_MaxCpus uint32 = 0
View Source 
const Default_NsJailConfig_MountProc bool = false
View Source 
const Default_NsJailConfig_PersonaAddrCompatLayout bool = false
View Source 
const Default_NsJailConfig_PersonaAddrLimit_3Gb bool = false
View Source 
const Default_NsJailConfig_PersonaAddrNoRandomize bool = false
View Source 
const Default_NsJailConfig_PersonaMmapPageZero bool = false
View Source 
const Default_NsJailConfig_PersonaReadImpliesExec bool = false
View Source 
const Default_NsJailConfig_Port uint32 = 0
View Source 
const Default_NsJailConfig_RlimitAs uint64 = 512
View Source 
const Default_NsJailConfig_RlimitCore uint64 = 0
View Source 
const Default_NsJailConfig_RlimitCpu uint64 = 600
View Source 
const Default_NsJailConfig_RlimitFsize uint64 = 1
View Source 
const Default_NsJailConfig_RlimitNofile uint64 = 32
View Source 
const Default_NsJailConfig_RlimitNproc uint64 = 1024
View Source 
const Default_NsJailConfig_RlimitStack uint64 = 1048576
View Source 
const Default_NsJailConfig_SeccompLog bool = false
View Source 
const Default_NsJailConfig_Silent bool = false
View Source 
const Default_NsJailConfig_SkipSetsid bool = false
View Source 
const Default_NsJailConfig_StderrToNull bool = false
View Source 
const Default_NsJailConfig_TimeLimit uint32 = 600

Variables

View Source 
var LogLevel_name = map[int32]string{
	0: "DEBUG",
	1: "INFO",
	2: "WARNING",
	3: "ERROR",
	4: "FATAL",
}
View Source 
var LogLevel_value = map[string]int32{
	"DEBUG":   0,
	"INFO":    1,
	"WARNING": 2,
	"ERROR":   3,
	"FATAL":   4,
}
View Source 
var Mode_name = map[int32]string{
	0: "LISTEN",
	1: "ONCE",
	2: "RERUN",
	3: "EXECVE",
}
View Source 
var Mode_value = map[string]int32{
	"LISTEN": 0,
	"ONCE":   1,
	"RERUN":  2,
	"EXECVE": 3,
}
View Source 
var RLimit_name = map[int32]string{
	0: "VALUE",
	1: "SOFT",
	2: "HARD",
	3: "INF",
}
View Source 
var RLimit_value = map[string]int32{
	"VALUE": 0,
	"SOFT":  1,
	"HARD":  2,
	"INF":   3,
}

Functions

This section is empty.

Types

type Exe 

type Exe struct {
	// Will be used both as execv's path and as argv[0]
	Path *string `protobuf:"bytes,1,req,name=path" json:"path,omitempty"`
	// This will be argv[1] and so on..
	Arg []string `protobuf:"bytes,2,rep,name=arg" json:"arg,omitempty"`
	// Override argv[0]
	Arg0 *string `protobuf:"bytes,3,opt,name=arg0" json:"arg0,omitempty"`
	// Should execveat() be used to execute a file-descriptor instead?
	ExecFd               *bool    `protobuf:"varint,4,opt,name=exec_fd,json=execFd,def=0" json:"exec_fd,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (*Exe) Descriptor 

func (*Exe) Descriptor() ([]byte, []int)

func (*Exe) GetArg 

func (m *Exe) GetArg() []string

func (*Exe) GetArg0 

func (m *Exe) GetArg0() string

func (*Exe) GetExecFd 

func (m *Exe) GetExecFd() bool

func (*Exe) GetPath 

func (m *Exe) GetPath() string

func (*Exe) ProtoMessage 

func (*Exe) ProtoMessage()

func (*Exe) Reset 

func (m *Exe) Reset()

func (*Exe) String 

func (m *Exe) String() string

func (*Exe) XXX_DiscardUnknown 

func (m *Exe) XXX_DiscardUnknown()

func (*Exe) XXX_Marshal 

func (m *Exe) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*Exe) XXX_Merge 

func (m *Exe) XXX_Merge(src proto.Message)

func (*Exe) XXX_Size 

func (m *Exe) XXX_Size() int

func (*Exe) XXX_Unmarshal 

func (m *Exe) XXX_Unmarshal(b []byte) error

type IdMap 

type IdMap struct {
	// Empty string means "current uid/gid"
	InsideId  *string `protobuf:"bytes,1,opt,name=inside_id,json=insideId,def=" json:"inside_id,omitempty"`
	OutsideId *string `protobuf:"bytes,2,opt,name=outside_id,json=outsideId,def=" json:"outside_id,omitempty"`
	// See 'man user_namespaces' for the meaning of count
	Count *uint32 `protobuf:"varint,3,opt,name=count,def=1" json:"count,omitempty"`
	// Does this map use /usr/bin/new[u|g]idmap binary?
	UseNewidmap          *bool    `protobuf:"varint,4,opt,name=use_newidmap,json=useNewidmap,def=0" json:"use_newidmap,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (*IdMap) Descriptor 

func (*IdMap) Descriptor() ([]byte, []int)

func (*IdMap) GetCount 

func (m *IdMap) GetCount() uint32

func (*IdMap) GetInsideId 

func (m *IdMap) GetInsideId() string

func (*IdMap) GetOutsideId 

func (m *IdMap) GetOutsideId() string

func (*IdMap) GetUseNewidmap 

func (m *IdMap) GetUseNewidmap() bool

func (*IdMap) ProtoMessage 

func (*IdMap) ProtoMessage()

func (*IdMap) Reset 

func (m *IdMap) Reset()

func (*IdMap) String 

func (m *IdMap) String() string

func (*IdMap) XXX_DiscardUnknown 

func (m *IdMap) XXX_DiscardUnknown()

func (*IdMap) XXX_Marshal 

func (m *IdMap) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*IdMap) XXX_Merge 

func (m *IdMap) XXX_Merge(src proto.Message)

func (*IdMap) XXX_Size 

func (m *IdMap) XXX_Size() int

func (*IdMap) XXX_Unmarshal 

func (m *IdMap) XXX_Unmarshal(b []byte) error

type LogLevel 

type LogLevel int32

Should be self explanatory 

const (
	LogLevel_DEBUG   LogLevel = 0
	LogLevel_INFO    LogLevel = 1
	LogLevel_WARNING LogLevel = 2
	LogLevel_ERROR   LogLevel = 3
	LogLevel_FATAL   LogLevel = 4
)

func (LogLevel) Enum 

func (x LogLevel) Enum() *LogLevel

func (LogLevel) EnumDescriptor 

func (LogLevel) EnumDescriptor() ([]byte, []int)

func (LogLevel) String 

func (x LogLevel) String() string

func (*LogLevel) UnmarshalJSON 

func (x *LogLevel) UnmarshalJSON(data []byte) error

type Mode 

type Mode int32
const (
	Mode_LISTEN Mode = 0
	Mode_ONCE   Mode = 1
	Mode_RERUN  Mode = 2
	Mode_EXECVE Mode = 3
)
const Default_NsJailConfig_Mode Mode = Mode_ONCE

func (Mode) Enum 

func (x Mode) Enum() *Mode

func (Mode) EnumDescriptor 

func (Mode) EnumDescriptor() ([]byte, []int)

func (Mode) String 

func (x Mode) String() string

func (*Mode) UnmarshalJSON 

func (x *Mode) UnmarshalJSON(data []byte) error

type MountPt 

type MountPt struct {
	// Can be skipped for filesystems like 'proc'
	Src *string `protobuf:"bytes,1,opt,name=src,def=" json:"src,omitempty"`
	// Should 'src' path be prefixed with this envvar?
	PrefixSrcEnv *string `protobuf:"bytes,2,opt,name=prefix_src_env,json=prefixSrcEnv,def=" json:"prefix_src_env,omitempty"`
	// If specified, contains buffer that will be written to the dst file
	SrcContent []byte `protobuf:"bytes,3,opt,name=src_content,json=srcContent,def=" json:"src_content,omitempty"`
	// Mount point inside jail
	Dst *string `protobuf:"bytes,4,req,name=dst,def=" json:"dst,omitempty"`
	// Should 'dst' path be prefixed with this envvar?
	PrefixDstEnv *string `protobuf:"bytes,5,opt,name=prefix_dst_env,json=prefixDstEnv,def=" json:"prefix_dst_env,omitempty"`
	// Can be empty for mount --bind mounts
	Fstype *string `protobuf:"bytes,6,opt,name=fstype,def=" json:"fstype,omitempty"`
	// E.g. size=5000000 for 'tmpfs'
	Options *string `protobuf:"bytes,7,opt,name=options,def=" json:"options,omitempty"`
	// Is it a 'mount --bind src dst' type of mount?
	IsBind *bool `protobuf:"varint,8,opt,name=is_bind,json=isBind,def=0" json:"is_bind,omitempty"`
	// Is it a R/W mount?
	Rw *bool `protobuf:"varint,9,opt,name=rw,def=0" json:"rw,omitempty"`
	// Is it a directory? If not specified an internal
	//heuristics will be used to determine that
	IsDir *bool `protobuf:"varint,10,opt,name=is_dir,json=isDir" json:"is_dir,omitempty"`
	// Should the sandboxing fail if we cannot mount this resource?
	Mandatory *bool `protobuf:"varint,11,opt,name=mandatory,def=1" json:"mandatory,omitempty"`
	// Is it a symlink (instead of real mount point)?
	IsSymlink *bool `protobuf:"varint,12,opt,name=is_symlink,json=isSymlink,def=0" json:"is_symlink,omitempty"`
	// Is it a nosuid mount
	Nosuid *bool `protobuf:"varint,13,opt,name=nosuid,def=0" json:"nosuid,omitempty"`
	// Is it a nodev mount
	Nodev *bool `protobuf:"varint,14,opt,name=nodev,def=0" json:"nodev,omitempty"`
	// Is it a noexec mount
	Noexec               *bool    `protobuf:"varint,15,opt,name=noexec,def=0" json:"noexec,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (*MountPt) Descriptor 

func (*MountPt) Descriptor() ([]byte, []int)

func (*MountPt) GetDst 

func (m *MountPt) GetDst() string

func (*MountPt) GetFstype 

func (m *MountPt) GetFstype() string

func (*MountPt) GetIsBind 

func (m *MountPt) GetIsBind() bool

func (*MountPt) GetIsDir 

func (m *MountPt) GetIsDir() bool
func (m *MountPt) GetIsSymlink() bool

func (*MountPt) GetMandatory 

func (m *MountPt) GetMandatory() bool

func (*MountPt) GetNodev 

func (m *MountPt) GetNodev() bool

func (*MountPt) GetNoexec 

func (m *MountPt) GetNoexec() bool

func (*MountPt) GetNosuid 

func (m *MountPt) GetNosuid() bool

func (*MountPt) GetOptions 

func (m *MountPt) GetOptions() string

func (*MountPt) GetPrefixDstEnv 

func (m *MountPt) GetPrefixDstEnv() string

func (*MountPt) GetPrefixSrcEnv 

func (m *MountPt) GetPrefixSrcEnv() string

func (*MountPt) GetRw 

func (m *MountPt) GetRw() bool

func (*MountPt) GetSrc 

func (m *MountPt) GetSrc() string

func (*MountPt) GetSrcContent 

func (m *MountPt) GetSrcContent() []byte

func (*MountPt) ProtoMessage 

func (*MountPt) ProtoMessage()

func (*MountPt) Reset 

func (m *MountPt) Reset()

func (*MountPt) String 

func (m *MountPt) String() string

func (*MountPt) XXX_DiscardUnknown 

func (m *MountPt) XXX_DiscardUnknown()

func (*MountPt) XXX_Marshal 

func (m *MountPt) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*MountPt) XXX_Merge 

func (m *MountPt) XXX_Merge(src proto.Message)

func (*MountPt) XXX_Size 

func (m *MountPt) XXX_Size() int

func (*MountPt) XXX_Unmarshal 

func (m *MountPt) XXX_Unmarshal(b []byte) error

type NsJailConfig 

type NsJailConfig struct {
	// Optional name and description for this config
	Name        *string  `protobuf:"bytes,1,opt,name=name,def=" json:"name,omitempty"`
	Description []string `protobuf:"bytes,2,rep,name=description" json:"description,omitempty"`
	// Execution mode: see 'msg Mode' description for more
	Mode *Mode `protobuf:"varint,3,opt,name=mode,enum=nsjail.Mode,def=1" json:"mode,omitempty"`
	// Equivalent to a bind mount with dst='/'. DEPRECATED: Use bind mounts.
	ChrootDir *string `protobuf:"bytes,4,opt,name=chroot_dir,json=chrootDir" json:"chroot_dir,omitempty"` // Deprecated: Do not use.
	// Applies both to the chroot_dir and to /proc mounts. DEPRECATED: Use bind mounts
	IsRootRw *bool `protobuf:"varint,5,opt,name=is_root_rw,json=isRootRw,def=0" json:"is_root_rw,omitempty"` // Deprecated: Do not use.
	// Hostname inside jail
	Hostname *string `protobuf:"bytes,8,opt,name=hostname,def=NSJAIL" json:"hostname,omitempty"`
	// Initial current working directory for the binary
	Cwd *string `protobuf:"bytes,9,opt,name=cwd,def=/" json:"cwd,omitempty"`
	// TCP port to listen to. Valid with mode=LISTEN only
	Port *uint32 `protobuf:"varint,10,opt,name=port,def=0" json:"port,omitempty"`
	// Host to bind to for mode=LISTEN. Must be in IPv6 format
	Bindhost *string `protobuf:"bytes,11,opt,name=bindhost,def=::" json:"bindhost,omitempty"`
	// For mode=LISTEN, maximum number of connections from a single IP
	MaxConnsPerIp *uint32 `protobuf:"varint,12,opt,name=max_conns_per_ip,json=maxConnsPerIp,def=0" json:"max_conns_per_ip,omitempty"`
	// Wall-time time limit for commands
	TimeLimit *uint32 `protobuf:"varint,13,opt,name=time_limit,json=timeLimit,def=600" json:"time_limit,omitempty"`
	// Should nsjail go into background?
	Daemon *bool `protobuf:"varint,14,opt,name=daemon,def=0" json:"daemon,omitempty"`
	// Maximum number of CPUs to use: 0 - no limit
	MaxCpus *uint32 `protobuf:"varint,15,opt,name=max_cpus,json=maxCpus,def=0" json:"max_cpus,omitempty"`
	// FD to log to.
	LogFd *int32 `protobuf:"varint,16,opt,name=log_fd,json=logFd" json:"log_fd,omitempty"`
	// File to save lofs to
	LogFile *string `protobuf:"bytes,17,opt,name=log_file,json=logFile" json:"log_file,omitempty"`
	// Minimum log level displayed.
	//See 'msg LogLevel' description for more
	LogLevel *LogLevel `protobuf:"varint,18,opt,name=log_level,json=logLevel,enum=nsjail.LogLevel" json:"log_level,omitempty"`
	// Should the current environment variables be kept
	//when executing the binary
	KeepEnv *bool `protobuf:"varint,19,opt,name=keep_env,json=keepEnv,def=0" json:"keep_env,omitempty"`
	// EnvVars to be set before executing binaries. If the envvar doesn't contain '='
	//(e.g. just the 'DISPLAY' string), the current envvar value will be used
	Envar []string `protobuf:"bytes,20,rep,name=envar" json:"envar,omitempty"`
	// Should capabilities be preserved or dropped
	KeepCaps *bool `protobuf:"varint,21,opt,name=keep_caps,json=keepCaps,def=0" json:"keep_caps,omitempty"`
	// Which capabilities should be preserved if keep_caps == false.
	//Format: "CAP_SYS_PTRACE"
	Cap []string `protobuf:"bytes,22,rep,name=cap" json:"cap,omitempty"`
	// Should nsjail close FD=0,1,2 before executing the process
	Silent *bool `protobuf:"varint,23,opt,name=silent,def=0" json:"silent,omitempty"`
	// Should the child process have control over terminal?
	//Can be useful to allow /bin/sh to provide
	//job control / signals. Dangerous, can be used to put
	//characters into the controlling terminal back
	SkipSetsid *bool `protobuf:"varint,24,opt,name=skip_setsid,json=skipSetsid,def=0" json:"skip_setsid,omitempty"`
	// Redirect sdterr of the process to /dev/null instead of the socket or original TTY
	StderrToNull *bool `protobuf:"varint,25,opt,name=stderr_to_null,json=stderrToNull,def=0" json:"stderr_to_null,omitempty"`
	// Which FDs should be passed to the newly executed process
	//By default only FD=0,1,2 are passed
	PassFd []int32 `protobuf:"varint,26,rep,name=pass_fd,json=passFd" json:"pass_fd,omitempty"`
	// Setting it to true will allow to have set-uid binaries
	//inside the jail
	DisableNoNewPrivs *bool `protobuf:"varint,27,opt,name=disable_no_new_privs,json=disableNoNewPrivs,def=0" json:"disable_no_new_privs,omitempty"`
	// Various rlimits, the rlimit_as/rlimit_core/... are used only if
	//rlimit_as_type/rlimit_core_type/... are set to RLimit::VALUE
	RlimitAs         *uint64 `protobuf:"varint,28,opt,name=rlimit_as,json=rlimitAs,def=512" json:"rlimit_as,omitempty"`
	RlimitAsType     *RLimit `protobuf:"varint,29,opt,name=rlimit_as_type,json=rlimitAsType,enum=nsjail.RLimit,def=0" json:"rlimit_as_type,omitempty"`
	RlimitCore       *uint64 `protobuf:"varint,30,opt,name=rlimit_core,json=rlimitCore,def=0" json:"rlimit_core,omitempty"`
	RlimitCoreType   *RLimit `protobuf:"varint,31,opt,name=rlimit_core_type,json=rlimitCoreType,enum=nsjail.RLimit,def=0" json:"rlimit_core_type,omitempty"`
	RlimitCpu        *uint64 `protobuf:"varint,32,opt,name=rlimit_cpu,json=rlimitCpu,def=600" json:"rlimit_cpu,omitempty"`
	RlimitCpuType    *RLimit `protobuf:"varint,33,opt,name=rlimit_cpu_type,json=rlimitCpuType,enum=nsjail.RLimit,def=0" json:"rlimit_cpu_type,omitempty"`
	RlimitFsize      *uint64 `protobuf:"varint,34,opt,name=rlimit_fsize,json=rlimitFsize,def=1" json:"rlimit_fsize,omitempty"`
	RlimitFsizeType  *RLimit `` /* 128-byte string literal not displayed */
	RlimitNofile     *uint64 `protobuf:"varint,36,opt,name=rlimit_nofile,json=rlimitNofile,def=32" json:"rlimit_nofile,omitempty"`
	RlimitNofileType *RLimit `` /* 131-byte string literal not displayed */
	// RLIMIT_NPROC is system-wide - tricky to use; use the soft limit value by
	// default here
	RlimitNproc     *uint64 `protobuf:"varint,38,opt,name=rlimit_nproc,json=rlimitNproc,def=1024" json:"rlimit_nproc,omitempty"`
	RlimitNprocType *RLimit `` /* 128-byte string literal not displayed */
	// In MiB, use the soft limit value by default
	RlimitStack     *uint64 `protobuf:"varint,40,opt,name=rlimit_stack,json=rlimitStack,def=1048576" json:"rlimit_stack,omitempty"`
	RlimitStackType *RLimit `` /* 128-byte string literal not displayed */
	// See 'man personality' for more
	PersonaAddrCompatLayout *bool `` /* 135-byte string literal not displayed */
	PersonaMmapPageZero     *bool `protobuf:"varint,43,opt,name=persona_mmap_page_zero,json=personaMmapPageZero,def=0" json:"persona_mmap_page_zero,omitempty"`
	PersonaReadImpliesExec  *bool `` /* 132-byte string literal not displayed */
	PersonaAddrLimit_3Gb    *bool `protobuf:"varint,45,opt,name=persona_addr_limit_3gb,json=personaAddrLimit3gb,def=0" json:"persona_addr_limit_3gb,omitempty"`
	PersonaAddrNoRandomize  *bool `` /* 132-byte string literal not displayed */
	// Which name-spaces should be used?
	CloneNewnet  *bool `protobuf:"varint,47,opt,name=clone_newnet,json=cloneNewnet,def=1" json:"clone_newnet,omitempty"`
	CloneNewuser *bool `protobuf:"varint,48,opt,name=clone_newuser,json=cloneNewuser,def=1" json:"clone_newuser,omitempty"`
	CloneNewns   *bool `protobuf:"varint,49,opt,name=clone_newns,json=cloneNewns,def=1" json:"clone_newns,omitempty"`
	CloneNewpid  *bool `protobuf:"varint,50,opt,name=clone_newpid,json=cloneNewpid,def=1" json:"clone_newpid,omitempty"`
	CloneNewipc  *bool `protobuf:"varint,51,opt,name=clone_newipc,json=cloneNewipc,def=1" json:"clone_newipc,omitempty"`
	CloneNewuts  *bool `protobuf:"varint,52,opt,name=clone_newuts,json=cloneNewuts,def=1" json:"clone_newuts,omitempty"`
	// Disable for kernel versions < 4.6 as it's not supported there
	CloneNewcgroup *bool `protobuf:"varint,53,opt,name=clone_newcgroup,json=cloneNewcgroup,def=1" json:"clone_newcgroup,omitempty"`
	// Mappings for UIDs and GIDs. See the description for 'msg IdMap'
	//for more
	Uidmap []*IdMap `protobuf:"bytes,54,rep,name=uidmap" json:"uidmap,omitempty"`
	Gidmap []*IdMap `protobuf:"bytes,55,rep,name=gidmap" json:"gidmap,omitempty"`
	// Should /proc be mounted (R/O)? This can also be added in the 'mount'
	//section below
	MountProc *bool `protobuf:"varint,56,opt,name=mount_proc,json=mountProc,def=0" json:"mount_proc,omitempty"`
	// Mount points inside the jail. See the description for 'msg MountPt'
	//for more
	Mount []*MountPt `protobuf:"bytes,57,rep,name=mount" json:"mount,omitempty"`
	// Kafel seccomp-bpf policy file or a string:
	//Homepage of the project: https://github.com/google/kafel
	SeccompPolicyFile *string  `protobuf:"bytes,58,opt,name=seccomp_policy_file,json=seccompPolicyFile" json:"seccomp_policy_file,omitempty"`
	SeccompString     []string `protobuf:"bytes,59,rep,name=seccomp_string,json=seccompString" json:"seccomp_string,omitempty"`
	// Setting it to true makes audit write seccomp logs to dmesg
	SeccompLog *bool `protobuf:"varint,60,opt,name=seccomp_log,json=seccompLog,def=0" json:"seccomp_log,omitempty"`
	// If > 0, maximum cumulative size of RAM used inside any jail
	CgroupMemMax *uint64 `protobuf:"varint,61,opt,name=cgroup_mem_max,json=cgroupMemMax,def=0" json:"cgroup_mem_max,omitempty"`
	// Mount point for cgroups-memory in your system
	CgroupMemMount *string `protobuf:"bytes,62,opt,name=cgroup_mem_mount,json=cgroupMemMount,def=/sys/fs/cgroup/memory" json:"cgroup_mem_mount,omitempty"`
	// Writeable directory (for the nsjail user) under cgroup_mem_mount
	CgroupMemParent *string `protobuf:"bytes,63,opt,name=cgroup_mem_parent,json=cgroupMemParent,def=NSJAIL" json:"cgroup_mem_parent,omitempty"`
	// If > 0, maximum number of PIDs (threads/processes) inside jail
	CgroupPidsMax *uint64 `protobuf:"varint,64,opt,name=cgroup_pids_max,json=cgroupPidsMax,def=0" json:"cgroup_pids_max,omitempty"`
	// Mount point for cgroups-pids in your system
	CgroupPidsMount *string `` /* 126-byte string literal not displayed */
	// Writeable directory (for the nsjail user) under cgroup_pids_mount
	CgroupPidsParent *string `protobuf:"bytes,66,opt,name=cgroup_pids_parent,json=cgroupPidsParent,def=NSJAIL" json:"cgroup_pids_parent,omitempty"`
	// If > 0, Class identifier of network packets inside jail
	CgroupNetClsClassid *uint32 `protobuf:"varint,67,opt,name=cgroup_net_cls_classid,json=cgroupNetClsClassid,def=0" json:"cgroup_net_cls_classid,omitempty"`
	// Mount point for cgroups-net-cls in your system
	CgroupNetClsMount *string `` /* 137-byte string literal not displayed */
	// Writeable directory (for the nsjail user) under cgroup_net_mount
	CgroupNetClsParent *string `protobuf:"bytes,69,opt,name=cgroup_net_cls_parent,json=cgroupNetClsParent,def=NSJAIL" json:"cgroup_net_cls_parent,omitempty"`
	// If > 0 number of milliseconds of CPU that jail processes can use per each second
	CgroupCpuMsPerSec *uint32 `protobuf:"varint,70,opt,name=cgroup_cpu_ms_per_sec,json=cgroupCpuMsPerSec,def=0" json:"cgroup_cpu_ms_per_sec,omitempty"`
	// Mount point for cgroups-cpu in your system
	CgroupCpuMount *string `protobuf:"bytes,71,opt,name=cgroup_cpu_mount,json=cgroupCpuMount,def=/sys/fs/cgroup/cpu" json:"cgroup_cpu_mount,omitempty"`
	// Writeable directory (for the nsjail user) under cgroup_cpu_mount
	CgroupCpuParent *string `protobuf:"bytes,72,opt,name=cgroup_cpu_parent,json=cgroupCpuParent,def=NSJAIL" json:"cgroup_cpu_parent,omitempty"`
	// Should the 'lo' interface be brought up (active) inside this jail?
	IfaceNoLo *bool `protobuf:"varint,73,opt,name=iface_no_lo,json=ifaceNoLo,def=0" json:"iface_no_lo,omitempty"`
	// Put this interface inside the jail
	IfaceOwn []string `protobuf:"bytes,74,rep,name=iface_own,json=ifaceOwn" json:"iface_own,omitempty"`
	// Parameters for the cloned MACVLAN interface inside jail
	MacvlanIface *string `protobuf:"bytes,75,opt,name=macvlan_iface,json=macvlanIface" json:"macvlan_iface,omitempty"`
	MacvlanVsIp  *string `protobuf:"bytes,76,opt,name=macvlan_vs_ip,json=macvlanVsIp,def=192.168.0.2" json:"macvlan_vs_ip,omitempty"`
	MacvlanVsNm  *string `protobuf:"bytes,77,opt,name=macvlan_vs_nm,json=macvlanVsNm,def=255.255.255.0" json:"macvlan_vs_nm,omitempty"`
	MacvlanVsGw  *string `protobuf:"bytes,78,opt,name=macvlan_vs_gw,json=macvlanVsGw,def=192.168.0.1" json:"macvlan_vs_gw,omitempty"`
	MacvlanVsMa  *string `protobuf:"bytes,79,opt,name=macvlan_vs_ma,json=macvlanVsMa,def=" json:"macvlan_vs_ma,omitempty"`
	// Binary path (with arguments) to be executed. If not specified here, it
	//can be specified with cmd-line as "-- /path/to/command arg1 arg2"
	ExecBin              *Exe     `protobuf:"bytes,80,opt,name=exec_bin,json=execBin" json:"exec_bin,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (*NsJailConfig) Descriptor 

func (*NsJailConfig) Descriptor() ([]byte, []int)

func (*NsJailConfig) GetBindhost 

func (m *NsJailConfig) GetBindhost() string

func (*NsJailConfig) GetCap 

func (m *NsJailConfig) GetCap() []string

func (*NsJailConfig) GetCgroupCpuMount 

func (m *NsJailConfig) GetCgroupCpuMount() string

func (*NsJailConfig) GetCgroupCpuMsPerSec 

func (m *NsJailConfig) GetCgroupCpuMsPerSec() uint32

func (*NsJailConfig) GetCgroupCpuParent 

func (m *NsJailConfig) GetCgroupCpuParent() string

func (*NsJailConfig) GetCgroupMemMax 

func (m *NsJailConfig) GetCgroupMemMax() uint64

func (*NsJailConfig) GetCgroupMemMount 

func (m *NsJailConfig) GetCgroupMemMount() string

func (*NsJailConfig) GetCgroupMemParent 

func (m *NsJailConfig) GetCgroupMemParent() string

func (*NsJailConfig) GetCgroupNetClsClassid 

func (m *NsJailConfig) GetCgroupNetClsClassid() uint32

func (*NsJailConfig) GetCgroupNetClsMount 

func (m *NsJailConfig) GetCgroupNetClsMount() string

func (*NsJailConfig) GetCgroupNetClsParent 

func (m *NsJailConfig) GetCgroupNetClsParent() string

func (*NsJailConfig) GetCgroupPidsMax 

func (m *NsJailConfig) GetCgroupPidsMax() uint64

func (*NsJailConfig) GetCgroupPidsMount 

func (m *NsJailConfig) GetCgroupPidsMount() string

func (*NsJailConfig) GetCgroupPidsParent 

func (m *NsJailConfig) GetCgroupPidsParent() string

func (*NsJailConfig) GetChrootDir deprecated 

func (m *NsJailConfig) GetChrootDir() string

Deprecated: Do not use.

func (*NsJailConfig) GetCloneNewcgroup 

func (m *NsJailConfig) GetCloneNewcgroup() bool

func (*NsJailConfig) GetCloneNewipc 

func (m *NsJailConfig) GetCloneNewipc() bool

func (*NsJailConfig) GetCloneNewnet 

func (m *NsJailConfig) GetCloneNewnet() bool

func (*NsJailConfig) GetCloneNewns 

func (m *NsJailConfig) GetCloneNewns() bool

func (*NsJailConfig) GetCloneNewpid 

func (m *NsJailConfig) GetCloneNewpid() bool

func (*NsJailConfig) GetCloneNewuser 

func (m *NsJailConfig) GetCloneNewuser() bool

func (*NsJailConfig) GetCloneNewuts 

func (m *NsJailConfig) GetCloneNewuts() bool

func (*NsJailConfig) GetCwd 

func (m *NsJailConfig) GetCwd() string

func (*NsJailConfig) GetDaemon 

func (m *NsJailConfig) GetDaemon() bool

func (*NsJailConfig) GetDescription 

func (m *NsJailConfig) GetDescription() []string

func (*NsJailConfig) GetDisableNoNewPrivs 

func (m *NsJailConfig) GetDisableNoNewPrivs() bool

func (*NsJailConfig) GetEnvar 

func (m *NsJailConfig) GetEnvar() []string

func (*NsJailConfig) GetExecBin 

func (m *NsJailConfig) GetExecBin() *Exe

func (*NsJailConfig) GetGidmap 

func (m *NsJailConfig) GetGidmap() []*IdMap

func (*NsJailConfig) GetHostname 

func (m *NsJailConfig) GetHostname() string

func (*NsJailConfig) GetIfaceNoLo 

func (m *NsJailConfig) GetIfaceNoLo() bool

func (*NsJailConfig) GetIfaceOwn 

func (m *NsJailConfig) GetIfaceOwn() []string

func (*NsJailConfig) GetIsRootRw deprecated 

func (m *NsJailConfig) GetIsRootRw() bool

Deprecated: Do not use.

func (*NsJailConfig) GetKeepCaps 

func (m *NsJailConfig) GetKeepCaps() bool

func (*NsJailConfig) GetKeepEnv 

func (m *NsJailConfig) GetKeepEnv() bool

func (*NsJailConfig) GetLogFd 

func (m *NsJailConfig) GetLogFd() int32

func (*NsJailConfig) GetLogFile 

func (m *NsJailConfig) GetLogFile() string

func (*NsJailConfig) GetLogLevel 

func (m *NsJailConfig) GetLogLevel() LogLevel

func (*NsJailConfig) GetMacvlanIface 

func (m *NsJailConfig) GetMacvlanIface() string

func (*NsJailConfig) GetMacvlanVsGw 

func (m *NsJailConfig) GetMacvlanVsGw() string

func (*NsJailConfig) GetMacvlanVsIp 

func (m *NsJailConfig) GetMacvlanVsIp() string

func (*NsJailConfig) GetMacvlanVsMa 

func (m *NsJailConfig) GetMacvlanVsMa() string

func (*NsJailConfig) GetMacvlanVsNm 

func (m *NsJailConfig) GetMacvlanVsNm() string

func (*NsJailConfig) GetMaxConnsPerIp 

func (m *NsJailConfig) GetMaxConnsPerIp() uint32

func (*NsJailConfig) GetMaxCpus 

func (m *NsJailConfig) GetMaxCpus() uint32

func (*NsJailConfig) GetMode 

func (m *NsJailConfig) GetMode() Mode

func (*NsJailConfig) GetMount 

func (m *NsJailConfig) GetMount() []*MountPt

func (*NsJailConfig) GetMountProc 

func (m *NsJailConfig) GetMountProc() bool

func (*NsJailConfig) GetName 

func (m *NsJailConfig) GetName() string

func (*NsJailConfig) GetPassFd 

func (m *NsJailConfig) GetPassFd() []int32

func (*NsJailConfig) GetPersonaAddrCompatLayout 

func (m *NsJailConfig) GetPersonaAddrCompatLayout() bool

func (*NsJailConfig) GetPersonaAddrLimit_3Gb 

func (m *NsJailConfig) GetPersonaAddrLimit_3Gb() bool

func (*NsJailConfig) GetPersonaAddrNoRandomize 

func (m *NsJailConfig) GetPersonaAddrNoRandomize() bool

func (*NsJailConfig) GetPersonaMmapPageZero 

func (m *NsJailConfig) GetPersonaMmapPageZero() bool

func (*NsJailConfig) GetPersonaReadImpliesExec 

func (m *NsJailConfig) GetPersonaReadImpliesExec() bool

func (*NsJailConfig) GetPort 

func (m *NsJailConfig) GetPort() uint32

func (*NsJailConfig) GetRlimitAs 

func (m *NsJailConfig) GetRlimitAs() uint64

func (*NsJailConfig) GetRlimitAsType 

func (m *NsJailConfig) GetRlimitAsType() RLimit

func (*NsJailConfig) GetRlimitCore 

func (m *NsJailConfig) GetRlimitCore() uint64

func (*NsJailConfig) GetRlimitCoreType 

func (m *NsJailConfig) GetRlimitCoreType() RLimit

func (*NsJailConfig) GetRlimitCpu 

func (m *NsJailConfig) GetRlimitCpu() uint64

func (*NsJailConfig) GetRlimitCpuType 

func (m *NsJailConfig) GetRlimitCpuType() RLimit

func (*NsJailConfig) GetRlimitFsize 

func (m *NsJailConfig) GetRlimitFsize() uint64

func (*NsJailConfig) GetRlimitFsizeType 

func (m *NsJailConfig) GetRlimitFsizeType() RLimit

func (*NsJailConfig) GetRlimitNofile 

func (m *NsJailConfig) GetRlimitNofile() uint64

func (*NsJailConfig) GetRlimitNofileType 

func (m *NsJailConfig) GetRlimitNofileType() RLimit

func (*NsJailConfig) GetRlimitNproc 

func (m *NsJailConfig) GetRlimitNproc() uint64

func (*NsJailConfig) GetRlimitNprocType 

func (m *NsJailConfig) GetRlimitNprocType() RLimit

func (*NsJailConfig) GetRlimitStack 

func (m *NsJailConfig) GetRlimitStack() uint64

func (*NsJailConfig) GetRlimitStackType 

func (m *NsJailConfig) GetRlimitStackType() RLimit

func (*NsJailConfig) GetSeccompLog 

func (m *NsJailConfig) GetSeccompLog() bool

func (*NsJailConfig) GetSeccompPolicyFile 

func (m *NsJailConfig) GetSeccompPolicyFile() string

func (*NsJailConfig) GetSeccompString 

func (m *NsJailConfig) GetSeccompString() []string

func (*NsJailConfig) GetSilent 

func (m *NsJailConfig) GetSilent() bool

func (*NsJailConfig) GetSkipSetsid 

func (m *NsJailConfig) GetSkipSetsid() bool

func (*NsJailConfig) GetStderrToNull 

func (m *NsJailConfig) GetStderrToNull() bool

func (*NsJailConfig) GetTimeLimit 

func (m *NsJailConfig) GetTimeLimit() uint32

func (*NsJailConfig) GetUidmap 

func (m *NsJailConfig) GetUidmap() []*IdMap

func (*NsJailConfig) ProtoMessage 

func (*NsJailConfig) ProtoMessage()

func (*NsJailConfig) Reset 

func (m *NsJailConfig) Reset()

func (*NsJailConfig) String 

func (m *NsJailConfig) String() string

func (*NsJailConfig) XXX_DiscardUnknown 

func (m *NsJailConfig) XXX_DiscardUnknown()

func (*NsJailConfig) XXX_Marshal 

func (m *NsJailConfig) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*NsJailConfig) XXX_Merge 

func (m *NsJailConfig) XXX_Merge(src proto.Message)

func (*NsJailConfig) XXX_Size 

func (m *NsJailConfig) XXX_Size() int

func (*NsJailConfig) XXX_Unmarshal 

func (m *NsJailConfig) XXX_Unmarshal(b []byte) error

type RLimit 

type RLimit int32
const (
	RLimit_VALUE RLimit = 0
	RLimit_SOFT  RLimit = 1
	RLimit_HARD  RLimit = 2
	RLimit_INF   RLimit = 3
)
const Default_NsJailConfig_RlimitAsType RLimit = RLimit_VALUE
const Default_NsJailConfig_RlimitCoreType RLimit = RLimit_VALUE
const Default_NsJailConfig_RlimitCpuType RLimit = RLimit_VALUE
const Default_NsJailConfig_RlimitFsizeType RLimit = RLimit_VALUE
const Default_NsJailConfig_RlimitNofileType RLimit = RLimit_VALUE
const Default_NsJailConfig_RlimitNprocType RLimit = RLimit_SOFT
const Default_NsJailConfig_RlimitStackType RLimit = RLimit_SOFT

func (RLimit) Enum 

func (x RLimit) Enum() *RLimit

func (RLimit) EnumDescriptor 

func (RLimit) EnumDescriptor() ([]byte, []int)

func (RLimit) String 

func (x RLimit) String() string

func (*RLimit) UnmarshalJSON 

func (x *RLimit) UnmarshalJSON(data []byte) error

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.