package nsjail;
enum Mode {
- LISTEN = 0; /* Listening on a TCP port */
- ONCE = 1; /* Running the command once only */
- RERUN = 2; /* Re-executing the command (forever) */
+ LISTEN = 0; /* Listening on a TCP port */
+ ONCE = 1; /* Running the command once only */
+ RERUN = 2; /* Re-executing the command (forever) */
EXECVE = 3; /* Executing command w/o the supervisor */
}
-/* Should be self explanatory */ enum LogLevel {
+/* Should be self explanatory */
+enum LogLevel {
DEBUG = 0;
INFO = 1;
WARNING = 2;
/* It it RO mount */
required bool is_ro = 6 [ default = false ];
/* Is it directory? If not specified an internal
- * heuristics will be used to determine that */
+ heuristics will be used to determine that */
optional bool is_dir = 7;
- /* Should the sandboxing fail if we cannot mount this resource? */
- required bool mandatory = 8 [default = true];
+ /* Should the sandboxing fail if we cannot mount this resource? */
+ required bool mandatory = 8 [ default = true ];
}
message Exe
{
/* File to save lofs to */
optional string log_file = 13;
/* Minimum log level displayed.
- See 'msg LogLevel' description for more */
+ See 'msg LogLevel' description for more */
optional LogLevel log_level = 14;
/* Should the current environment variables be kept
- when executing the binary */
+ when executing the binary */
required bool keep_env = 15 [ default = false ];
/* EnvVars to be set before executing binaries */
repeated string envar = 16;
/* Should nsjail close FD=0,1,2 before executing the process */
required bool silent = 17 [ default = false ];
/* Should the child process have control over terminal?
- Can be useful to allow /bin/sh to provide
- job control / signals */
+ Can be useful to allow /bin/sh to provide
+ job control / signals */
required bool skip_setsid = 18 [ default = false ];
/* Which FDs should be passed to the newly executed process
- By default only FD=0,1,2 are passed */
+ By default only FD=0,1,2 are passed */
repeated int32 pass_fd = 19;
/* Should pivot_root be used instead of chroot?
- Using pivot_root allows to have subnamespaces */
+ Using pivot_root allows to have subnamespaces */
required bool pivot_root_only = 20 [ default = false ];
/* Setting it to true will allow to have set-uid binaries
- inside the jail */
+ inside the jail */
required bool disable_no_new_privs = 21 [ default = false ];
required uint64 rlimit_as = 22 [ default = 512 ]; /* In MiB */
required bool clone_newcgroup = 40 [ default = false ];
/* Mappings for UIDs and GIDs. See the description for 'msg IdMap'
- for more */
+ for more */
repeated IdMap uidmap = 41;
repeated IdMap gidmap = 42;
/* Should /proc be mounted? One can also force this in the 'mount' */
required bool mount_proc = 43 [ default = true ];
/* Mount points inside the jail. See the description for 'msg MountPt'
- for more */
+ for more */
repeated MountPt mount = 44;
/* Kafel seccomp policy file or string.
- Homepage of the project: https://github.com/google/kafel */
+ Homepage of the project: https://github.com/google/kafel */
optional string seccomp_policy_file = 45;
optional string seccomp_string = 46;
required string macvlan_vs_gw = 57 [ default = "192.168.0.1" ];
/* Binary with arguments to be executed. If not specified here, it can be
- specified with the command-line as "-- /path/to/command arg1 arg2" */
+ specified with the command-line as "-- /path/to/command arg1 arg2" */
optional Exe exec_bin = 58;
}
projects / platform / upstream / nsjail.git / commitdiff