NULL, NULL, NULL /* reserved[123] */
};
+char nsjail__ns_jail_config__name__default_value[] = "";
+char nsjail__ns_jail_config__description__default_value[] = "";
char nsjail__ns_jail_config__hostname__default_value[] = "NSJAIL";
char nsjail__ns_jail_config__cwd__default_value[] = "/";
char nsjail__ns_jail_config__bindhost__default_value[] = "::";
static const protobuf_c_boolean nsjail__ns_jail_config__clone_newipc__default_value = 1;
static const protobuf_c_boolean nsjail__ns_jail_config__clone_newuts__default_value = 1;
static const protobuf_c_boolean nsjail__ns_jail_config__clone_newcgroup__default_value = 0;
-static const protobuf_c_boolean nsjail__ns_jail_config__mount_proc__default_value = 1;
+static const protobuf_c_boolean nsjail__ns_jail_config__mount_proc__default_value = 0;
static const uint64_t nsjail__ns_jail_config__cgroup_mem_max__default_value = 0ull;
static const uint64_t nsjail__ns_jail_config__cgroup_pids_max__default_value = 0ull;
static const protobuf_c_boolean nsjail__ns_jail_config__iface_no_lo__default_value = 0;
-static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[56] = {
+static const ProtobufCFieldDescriptor nsjail__ns_jail_config__field_descriptors[58] = {
{
- "mode",
+ "name",
1,
+ PROTOBUF_C_LABEL_OPTIONAL,
+ PROTOBUF_C_TYPE_STRING,
+ 0, /* quantifier_offset */
+ offsetof(Nsjail__NsJailConfig, name),
+ NULL,
+ &nsjail__ns_jail_config__name__default_value,
+ 0, /* flags */
+ 0, NULL, NULL /* reserved1,reserved2, etc */
+ },
+ {
+ "description",
+ 2,
+ PROTOBUF_C_LABEL_OPTIONAL,
+ PROTOBUF_C_TYPE_STRING,
+ 0, /* quantifier_offset */
+ offsetof(Nsjail__NsJailConfig, description),
+ NULL,
+ &nsjail__ns_jail_config__description__default_value,
+ 0, /* flags */
+ 0, NULL, NULL /* reserved1,reserved2, etc */
+ },
+ {
+ "mode",
+ 3,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_ENUM,
0, /* quantifier_offset */
},
{
"chroot_dir",
- 2,
+ 4,
PROTOBUF_C_LABEL_OPTIONAL,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
},
{
"is_root_rw",
- 3,
+ 5,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
},
{
"hostname",
- 6,
+ 8,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
},
{
"cwd",
- 7,
+ 9,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
},
{
"port",
- 8,
+ 10,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_UINT32,
0, /* quantifier_offset */
},
{
"bindhost",
- 9,
+ 11,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
},
{
"max_conns_per_ip",
- 10,
+ 12,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_UINT32,
0, /* quantifier_offset */
},
{
"time_limit",
- 11,
+ 13,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_UINT32,
0, /* quantifier_offset */
},
{
"daemon",
- 12,
+ 14,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
},
{
"log_file",
- 13,
+ 15,
PROTOBUF_C_LABEL_OPTIONAL,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
},
{
"log_level",
- 14,
+ 16,
PROTOBUF_C_LABEL_OPTIONAL,
PROTOBUF_C_TYPE_ENUM,
offsetof(Nsjail__NsJailConfig, has_log_level),
},
{
"keep_env",
- 15,
+ 17,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
},
{
"envar",
- 16,
+ 18,
PROTOBUF_C_LABEL_REPEATED,
PROTOBUF_C_TYPE_STRING,
offsetof(Nsjail__NsJailConfig, n_envar),
},
{
"silent",
- 17,
+ 19,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
},
{
"skip_setsid",
- 18,
+ 20,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
},
{
"pass_fd",
- 19,
+ 21,
PROTOBUF_C_LABEL_REPEATED,
PROTOBUF_C_TYPE_INT32,
offsetof(Nsjail__NsJailConfig, n_pass_fd),
},
{
"pivot_root_only",
- 20,
+ 22,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
},
{
"disable_no_new_privs",
- 21,
+ 23,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
},
{
"rlimit_as",
- 22,
+ 24,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_UINT64,
0, /* quantifier_offset */
},
{
"rlimit_core",
- 23,
+ 25,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_UINT64,
0, /* quantifier_offset */
},
{
"rlimit_cpu",
- 24,
+ 26,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_UINT64,
0, /* quantifier_offset */
},
{
"rlimit_fsize",
- 25,
+ 27,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_UINT64,
0, /* quantifier_offset */
},
{
"rlimit_nofile",
- 26,
+ 28,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_UINT64,
0, /* quantifier_offset */
},
{
"rlimit_nproc",
- 27,
+ 29,
PROTOBUF_C_LABEL_OPTIONAL,
PROTOBUF_C_TYPE_UINT64,
offsetof(Nsjail__NsJailConfig, has_rlimit_nproc),
},
{
"rlimit_stack",
- 28,
+ 30,
PROTOBUF_C_LABEL_OPTIONAL,
PROTOBUF_C_TYPE_UINT64,
offsetof(Nsjail__NsJailConfig, has_rlimit_stack),
},
{
"persona_addr_compat_layout",
- 29,
+ 31,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
},
{
"persona_mmap_page_zero",
- 30,
+ 32,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
},
{
"persona_read_implies_exec",
- 31,
+ 33,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
},
{
"persona_addr_limit_3gb",
- 32,
+ 34,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
},
{
"persona_addr_no_randomize",
- 33,
+ 35,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
},
{
"clone_newnet",
- 34,
+ 36,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
},
{
"clone_newuser",
- 35,
+ 37,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
},
{
"clone_newns",
- 36,
+ 38,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
},
{
"clone_newpid",
- 37,
+ 39,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
},
{
"clone_newipc",
- 38,
+ 40,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
},
{
"clone_newuts",
- 39,
+ 41,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
},
{
"clone_newcgroup",
- 40,
+ 42,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
},
{
"uidmap",
- 41,
+ 43,
PROTOBUF_C_LABEL_REPEATED,
PROTOBUF_C_TYPE_MESSAGE,
offsetof(Nsjail__NsJailConfig, n_uidmap),
},
{
"gidmap",
- 42,
+ 44,
PROTOBUF_C_LABEL_REPEATED,
PROTOBUF_C_TYPE_MESSAGE,
offsetof(Nsjail__NsJailConfig, n_gidmap),
0, /* flags */
0, NULL, NULL /* reserved1,reserved2, etc */
},
- {
- "mount",
- 43,
- PROTOBUF_C_LABEL_REPEATED,
- PROTOBUF_C_TYPE_MESSAGE,
- offsetof(Nsjail__NsJailConfig, n_mount),
- offsetof(Nsjail__NsJailConfig, mount),
- &nsjail__mount_pt__descriptor,
- NULL,
- 0, /* flags */
- 0, NULL, NULL /* reserved1,reserved2, etc */
- },
{
"mount_proc",
- 44,
+ 45,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
0, /* flags */
0, NULL, NULL /* reserved1,reserved2, etc */
},
+ {
+ "mount",
+ 46,
+ PROTOBUF_C_LABEL_REPEATED,
+ PROTOBUF_C_TYPE_MESSAGE,
+ offsetof(Nsjail__NsJailConfig, n_mount),
+ offsetof(Nsjail__NsJailConfig, mount),
+ &nsjail__mount_pt__descriptor,
+ NULL,
+ 0, /* flags */
+ 0, NULL, NULL /* reserved1,reserved2, etc */
+ },
{
"seccomp_policy_file",
- 45,
+ 47,
PROTOBUF_C_LABEL_OPTIONAL,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
},
{
"seccomp_string",
- 46,
+ 48,
PROTOBUF_C_LABEL_OPTIONAL,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
},
{
"cgroup_mem_max",
- 47,
+ 49,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_UINT64,
0, /* quantifier_offset */
},
{
"cgroup_mem_mount",
- 48,
+ 50,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
},
{
"cgroup_mem_parent",
- 49,
+ 51,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
},
{
"cgroup_pids_max",
- 50,
+ 52,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_UINT64,
0, /* quantifier_offset */
},
{
"cgroup_pids_mount",
- 51,
+ 53,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
},
{
"cgroup_pids_parent",
- 52,
+ 54,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
},
{
"iface_no_lo",
- 53,
+ 55,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_BOOL,
0, /* quantifier_offset */
},
{
"macvlan_iface",
- 54,
+ 56,
PROTOBUF_C_LABEL_OPTIONAL,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
},
{
"macvlan_vs_ip",
- 55,
+ 57,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
},
{
"macvlan_vs_nm",
- 56,
+ 58,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
},
{
"macvlan_vs_gw",
- 57,
+ 59,
PROTOBUF_C_LABEL_REQUIRED,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
},
{
"exec_bin",
- 58,
+ 60,
PROTOBUF_C_LABEL_OPTIONAL,
PROTOBUF_C_TYPE_MESSAGE,
0, /* quantifier_offset */
};
static const unsigned nsjail__ns_jail_config__field_indices_by_name[] = {
- 6, /* field[6] = bindhost */
- 44, /* field[44] = cgroup_mem_max */
- 45, /* field[45] = cgroup_mem_mount */
- 46, /* field[46] = cgroup_mem_parent */
- 47, /* field[47] = cgroup_pids_max */
- 48, /* field[48] = cgroup_pids_mount */
- 49, /* field[49] = cgroup_pids_parent */
- 1, /* field[1] = chroot_dir */
- 37, /* field[37] = clone_newcgroup */
- 35, /* field[35] = clone_newipc */
- 31, /* field[31] = clone_newnet */
- 33, /* field[33] = clone_newns */
- 34, /* field[34] = clone_newpid */
- 32, /* field[32] = clone_newuser */
- 36, /* field[36] = clone_newuts */
- 4, /* field[4] = cwd */
- 9, /* field[9] = daemon */
- 18, /* field[18] = disable_no_new_privs */
- 13, /* field[13] = envar */
- 55, /* field[55] = exec_bin */
- 39, /* field[39] = gidmap */
- 3, /* field[3] = hostname */
- 50, /* field[50] = iface_no_lo */
- 2, /* field[2] = is_root_rw */
- 12, /* field[12] = keep_env */
- 10, /* field[10] = log_file */
- 11, /* field[11] = log_level */
- 51, /* field[51] = macvlan_iface */
- 54, /* field[54] = macvlan_vs_gw */
- 52, /* field[52] = macvlan_vs_ip */
- 53, /* field[53] = macvlan_vs_nm */
- 7, /* field[7] = max_conns_per_ip */
- 0, /* field[0] = mode */
- 40, /* field[40] = mount */
- 41, /* field[41] = mount_proc */
- 16, /* field[16] = pass_fd */
- 26, /* field[26] = persona_addr_compat_layout */
- 29, /* field[29] = persona_addr_limit_3gb */
- 30, /* field[30] = persona_addr_no_randomize */
- 27, /* field[27] = persona_mmap_page_zero */
- 28, /* field[28] = persona_read_implies_exec */
- 17, /* field[17] = pivot_root_only */
- 5, /* field[5] = port */
- 19, /* field[19] = rlimit_as */
- 20, /* field[20] = rlimit_core */
- 21, /* field[21] = rlimit_cpu */
- 22, /* field[22] = rlimit_fsize */
- 23, /* field[23] = rlimit_nofile */
- 24, /* field[24] = rlimit_nproc */
- 25, /* field[25] = rlimit_stack */
- 42, /* field[42] = seccomp_policy_file */
- 43, /* field[43] = seccomp_string */
- 14, /* field[14] = silent */
- 15, /* field[15] = skip_setsid */
- 8, /* field[8] = time_limit */
- 38, /* field[38] = uidmap */
+ 8, /* field[8] = bindhost */
+ 46, /* field[46] = cgroup_mem_max */
+ 47, /* field[47] = cgroup_mem_mount */
+ 48, /* field[48] = cgroup_mem_parent */
+ 49, /* field[49] = cgroup_pids_max */
+ 50, /* field[50] = cgroup_pids_mount */
+ 51, /* field[51] = cgroup_pids_parent */
+ 3, /* field[3] = chroot_dir */
+ 39, /* field[39] = clone_newcgroup */
+ 37, /* field[37] = clone_newipc */
+ 33, /* field[33] = clone_newnet */
+ 35, /* field[35] = clone_newns */
+ 36, /* field[36] = clone_newpid */
+ 34, /* field[34] = clone_newuser */
+ 38, /* field[38] = clone_newuts */
+ 6, /* field[6] = cwd */
+ 11, /* field[11] = daemon */
+ 1, /* field[1] = description */
+ 20, /* field[20] = disable_no_new_privs */
+ 15, /* field[15] = envar */
+ 57, /* field[57] = exec_bin */
+ 41, /* field[41] = gidmap */
+ 5, /* field[5] = hostname */
+ 52, /* field[52] = iface_no_lo */
+ 4, /* field[4] = is_root_rw */
+ 14, /* field[14] = keep_env */
+ 12, /* field[12] = log_file */
+ 13, /* field[13] = log_level */
+ 53, /* field[53] = macvlan_iface */
+ 56, /* field[56] = macvlan_vs_gw */
+ 54, /* field[54] = macvlan_vs_ip */
+ 55, /* field[55] = macvlan_vs_nm */
+ 9, /* field[9] = max_conns_per_ip */
+ 2, /* field[2] = mode */
+ 43, /* field[43] = mount */
+ 42, /* field[42] = mount_proc */
+ 0, /* field[0] = name */
+ 18, /* field[18] = pass_fd */
+ 28, /* field[28] = persona_addr_compat_layout */
+ 31, /* field[31] = persona_addr_limit_3gb */
+ 32, /* field[32] = persona_addr_no_randomize */
+ 29, /* field[29] = persona_mmap_page_zero */
+ 30, /* field[30] = persona_read_implies_exec */
+ 19, /* field[19] = pivot_root_only */
+ 7, /* field[7] = port */
+ 21, /* field[21] = rlimit_as */
+ 22, /* field[22] = rlimit_core */
+ 23, /* field[23] = rlimit_cpu */
+ 24, /* field[24] = rlimit_fsize */
+ 25, /* field[25] = rlimit_nofile */
+ 26, /* field[26] = rlimit_nproc */
+ 27, /* field[27] = rlimit_stack */
+ 44, /* field[44] = seccomp_policy_file */
+ 45, /* field[45] = seccomp_string */
+ 16, /* field[16] = silent */
+ 17, /* field[17] = skip_setsid */
+ 10, /* field[10] = time_limit */
+ 40, /* field[40] = uidmap */
};
static const ProtobufCIntRange nsjail__ns_jail_config__number_ranges[2 + 1] = {
{1, 0},
- {6, 3},
- {0, 56}
+ {8, 5},
+ {0, 58}
};
const ProtobufCMessageDescriptor nsjail__ns_jail_config__descriptor = {
"Nsjail__NsJailConfig",
"nsjail",
sizeof(Nsjail__NsJailConfig),
- 56,
+ 58,
nsjail__ns_jail_config__field_descriptors,
nsjail__ns_jail_config__field_indices_by_name,
2, nsjail__ns_jail_config__number_ranges,
typedef enum _Nsjail__Mode {
/*
- * Listening on a TCP port
+ * Listening on a TCP port
*/
NSJAIL__MODE__LISTEN = 0,
/*
- * Running the command once only
+ * Running the command once only
*/
NSJAIL__MODE__ONCE = 1,
/*
- * Re-executing the command (forever)
+ * Re-executing the command (forever)
*/
NSJAIL__MODE__RERUN = 2,
/*
* Should be self explanatory
*/
typedef enum _Nsjail__LogLevel {
+ /*
+ * Equivalent to the '-v' cmd-line option
+ */
NSJAIL__LOG_LEVEL__DEBUG = 0,
+ /*
+ * Default level
+ */
NSJAIL__LOG_LEVEL__INFO = 1,
+ /*
+ * Equivalent to the '-q' cmd-line option
+ */
NSJAIL__LOG_LEVEL__WARNING = 2,
NSJAIL__LOG_LEVEL__ERROR = 3,
NSJAIL__LOG_LEVEL__FATAL = 4 PROTOBUF_C__FORCE_ENUM_TO_BE_INT_SIZE(NSJAIL__LOG_LEVEL)
char *inside_id;
char *outside_id;
/*
- * 'man user_namespaces' for the meaning of count
+ * See 'man user_namespaces' for the meaning of count
*/
uint32_t count;
/*
protobuf_c_boolean is_ro;
/*
* Is it directory? If not specified an internal
- * heuristics will be used to determine that
+ *heuristics will be used to determine that
*/
protobuf_c_boolean has_is_dir;
protobuf_c_boolean is_dir;
struct _Nsjail__Exe {
ProtobufCMessage base;
/*
- * This will be usef both for path and for argv[0]
+ * Will be used both as execv's path and as argv[0]
*/
char *path;
/*
struct _Nsjail__NsJailConfig {
ProtobufCMessage base;
+ /*
+ * Optional name and description for this config
+ */
+ char *name;
+ char *description;
/*
* Execution mode: see 'msg Mode' description for more
*/
Nsjail__Mode mode;
/*
- * Equivalent to a bind mount with src='/', dst='/'
+ * Equivalent to a bind mount with dst='/'
*/
char *chroot_dir;
/*
*/
protobuf_c_boolean disable_no_new_privs;
/*
- * In MiB
+ * In MiB
*/
uint64_t rlimit_as;
/*
- * In MiB
+ * In MiB
*/
uint64_t rlimit_core;
/*
*/
uint64_t rlimit_cpu;
/*
- * In MiB
+ * In MiB
*/
uint64_t rlimit_fsize;
uint64_t rlimit_nofile;
+ /*
+ * This is system-wide: tricky to use
+ */
protobuf_c_boolean has_rlimit_nproc;
uint64_t rlimit_nproc;
/*
- * In MiB
+ * In MiB
*/
protobuf_c_boolean has_rlimit_stack;
uint64_t rlimit_stack;
Nsjail__IdMap **uidmap;
size_t n_gidmap;
Nsjail__IdMap **gidmap;
+ /*
+ * Should /proc be mounted (R/O)? This can also be added in the 'mount'
+ *section below
+ */
+ protobuf_c_boolean mount_proc;
/*
* Mount points inside the jail. See the description for 'msg MountPt'
*for more
size_t n_mount;
Nsjail__MountPt **mount;
/*
- * Should /proc be mounted? One can also force this in the 'mount'
- */
- protobuf_c_boolean mount_proc;
- /*
- * Kafel seccomp policy file or string.
+ * Kafel seccomp-bpf policy file or a string:
*Homepage of the project: https://github.com/google/kafel
*/
char *seccomp_policy_file;
char *seccomp_string;
/*
- * If > 0, maximum cumulative size of RAM used inside jail
+ * If > 0, maximum cumulative size of RAM used inside any jail
*/
/*
* In MiB
*/
uint64_t cgroup_mem_max;
/*
- * Mount point for cgroups-memory
+ * Mount point for cgroups-memory in your system
*/
char *cgroup_mem_mount;
/*
*/
uint64_t cgroup_pids_max;
/*
- * Mount point for cgroups-memory
+ * Mount point for cgroups-pids in your system
*/
char *cgroup_pids_mount;
/*
*/
char *cgroup_pids_parent;
/*
- * Should the 'lo' interface be brought up inside jail?
+ * Should the 'lo' interface be brought up (active) inside this jail?
*/
protobuf_c_boolean iface_no_lo;
/*
char *macvlan_vs_nm;
char *macvlan_vs_gw;
/*
- * Binary with arguments to be executed. If not specified here, it can be
- *specified with the command-line as "-- /path/to/command arg1 arg2"
+ * Binary path (with arguments) to be executed. If not specified here, it
+ *can be specified with cmd-line as "-- /path/to/command arg1 arg2"
*/
Nsjail__Exe *exec_bin;
};
+extern char nsjail__ns_jail_config__name__default_value[];
+extern char nsjail__ns_jail_config__description__default_value[];
extern char nsjail__ns_jail_config__hostname__default_value[];
extern char nsjail__ns_jail_config__cwd__default_value[];
extern char nsjail__ns_jail_config__bindhost__default_value[];
extern char nsjail__ns_jail_config__macvlan_vs_gw__default_value[];
#define NSJAIL__NS_JAIL_CONFIG__INIT \
{ PROTOBUF_C_MESSAGE_INIT (&nsjail__ns_jail_config__descriptor) \
- , NSJAIL__MODE__ONCE, NULL, 0, nsjail__ns_jail_config__hostname__default_value, nsjail__ns_jail_config__cwd__default_value, 0u, nsjail__ns_jail_config__bindhost__default_value, 0u, 600u, 0, NULL, 0,0, 0, 0,NULL, 0, 0, 0,NULL, 0, 0, 512ull, 0ull, 600ull, 1ull, 32ull, 0,0, 0,0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 0, 0,NULL, 0,NULL, 0,NULL, 1, NULL, NULL, 0ull, nsjail__ns_jail_config__cgroup_mem_mount__default_value, nsjail__ns_jail_config__cgroup_mem_parent__default_value, 0ull, nsjail__ns_jail_config__cgroup_pids_mount__default_value, nsjail__ns_jail_config__cgroup_pids_parent__default_value, 0, NULL, nsjail__ns_jail_config__macvlan_vs_ip__default_value, nsjail__ns_jail_config__macvlan_vs_nm__default_value, nsjail__ns_jail_config__macvlan_vs_gw__default_value, NULL }
+ , nsjail__ns_jail_config__name__default_value, nsjail__ns_jail_config__description__default_value, NSJAIL__MODE__ONCE, NULL, 0, nsjail__ns_jail_config__hostname__default_value, nsjail__ns_jail_config__cwd__default_value, 0u, nsjail__ns_jail_config__bindhost__default_value, 0u, 600u, 0, NULL, 0,0, 0, 0,NULL, 0, 0, 0,NULL, 0, 0, 512ull, 0ull, 600ull, 1ull, 32ull, 0,0, 0,0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 0, 0,NULL, 0,NULL, 0, 0,NULL, NULL, NULL, 0ull, nsjail__ns_jail_config__cgroup_mem_mount__default_value, nsjail__ns_jail_config__cgroup_mem_parent__default_value, 0ull, nsjail__ns_jail_config__cgroup_pids_mount__default_value, nsjail__ns_jail_config__cgroup_pids_parent__default_value, 0, NULL, nsjail__ns_jail_config__macvlan_vs_ip__default_value, nsjail__ns_jail_config__macvlan_vs_nm__default_value, nsjail__ns_jail_config__macvlan_vs_gw__default_value, NULL }
/* Nsjail__IdMap methods */
void nsjail__id_map__init(Nsjail__IdMap * message);
}
message NsJailConfig
{
+ /* Optional name and description for this config */
+ optional string name = 1 [ default = "" ];
+ optional string description = 2 [ default = "" ];
+
/* Execution mode: see 'msg Mode' description for more */
- required Mode mode = 1 [ default = ONCE ];
+ required Mode mode = 3 [ default = ONCE ];
/* Equivalent to a bind mount with dst='/' */
- optional string chroot_dir = 2;
+ optional string chroot_dir = 4;
/* Applies both to the chroot_dir and to /proc mounts */
- required bool is_root_rw = 3 [ default = false ];
+ required bool is_root_rw = 5 [ default = false ];
/* Hostname inside jail */
- required string hostname = 6 [ default = "NSJAIL" ];
+ required string hostname = 8 [ default = "NSJAIL" ];
/* Initial current working directory for the binary */
- required string cwd = 7 [ default = "/" ];
+ required string cwd = 9 [ default = "/" ];
/* TCP port to listen to. Valid with mode=LISTEN only */
- required uint32 port = 8 [ default = 0 ];
+ required uint32 port = 10 [ default = 0 ];
/* Host to bind to for mode=LISTEN. Must be in IPv6 format */
- required string bindhost = 9 [ default = "::" ];
+ required string bindhost = 11 [ default = "::" ];
/* For mode=LISTEN, maximum number of connections from a single IP */
- required uint32 max_conns_per_ip = 10 [ default = 0 ];
+ required uint32 max_conns_per_ip = 12 [ default = 0 ];
/* Wall-time time limit for commands */
- required uint32 time_limit = 11 [ default = 600 ];
+ required uint32 time_limit = 13 [ default = 600 ];
/* Should nsjail go into background? */
- required bool daemon = 12 [ default = false ];
+ required bool daemon = 14 [ default = false ];
/* File to save lofs to */
- optional string log_file = 13;
+ optional string log_file = 15;
/* Minimum log level displayed.
See 'msg LogLevel' description for more */
- optional LogLevel log_level = 14;
+ optional LogLevel log_level = 16;
/* Should the current environment variables be kept
when executing the binary */
- required bool keep_env = 15 [ default = false ];
+ required bool keep_env = 17 [ default = false ];
/* EnvVars to be set before executing binaries */
- repeated string envar = 16;
+ repeated string envar = 18;
/* Should nsjail close FD=0,1,2 before executing the process */
- required bool silent = 17 [ default = false ];
+ required bool silent = 19 [ default = false ];
/* Should the child process have control over terminal?
Can be useful to allow /bin/sh to provide
job control / signals */
- required bool skip_setsid = 18 [ default = false ];
+ required bool skip_setsid = 20 [ default = false ];
/* Which FDs should be passed to the newly executed process
By default only FD=0,1,2 are passed */
- repeated int32 pass_fd = 19;
+ repeated int32 pass_fd = 21;
/* Should pivot_root be used instead of chroot?
Using pivot_root allows to have subnamespaces */
- required bool pivot_root_only = 20 [ default = false ];
+ required bool pivot_root_only = 22 [ default = false ];
/* Setting it to true will allow to have set-uid binaries
inside the jail */
- required bool disable_no_new_privs = 21 [ default = false ];
+ required bool disable_no_new_privs = 23 [ default = false ];
- required uint64 rlimit_as = 22 [ default = 512 ]; /* In MiB */
- required uint64 rlimit_core = 23 [ default = 0 ]; /* In MiB */
- required uint64 rlimit_cpu = 24 [ default = 600 ]; /* In seconds */
- required uint64 rlimit_fsize = 25 [ default = 1 ]; /* In MiB */
- required uint64 rlimit_nofile = 26 [ default = 32 ];
- optional uint64 rlimit_nproc = 27; /* This is system-wide: tricky to use */
- optional uint64 rlimit_stack = 28; /* In MiB */
+ required uint64 rlimit_as = 24 [ default = 512 ]; /* In MiB */
+ required uint64 rlimit_core = 25 [ default = 0 ]; /* In MiB */
+ required uint64 rlimit_cpu = 26 [ default = 600 ]; /* In seconds */
+ required uint64 rlimit_fsize = 27 [ default = 1 ]; /* In MiB */
+ required uint64 rlimit_nofile = 28 [ default = 32 ];
+ optional uint64 rlimit_nproc = 29; /* This is system-wide: tricky to use */
+ optional uint64 rlimit_stack = 30; /* In MiB */
/* See 'man personality' for more */
- required bool persona_addr_compat_layout = 29 [ default = false ];
- required bool persona_mmap_page_zero = 30 [ default = false ];
- required bool persona_read_implies_exec = 31 [ default = false ];
- required bool persona_addr_limit_3gb = 32 [ default = false ];
- required bool persona_addr_no_randomize = 33 [ default = false ];
+ required bool persona_addr_compat_layout = 31 [ default = false ];
+ required bool persona_mmap_page_zero = 32 [ default = false ];
+ required bool persona_read_implies_exec = 33 [ default = false ];
+ required bool persona_addr_limit_3gb = 34 [ default = false ];
+ required bool persona_addr_no_randomize = 35 [ default = false ];
/* Which name-spaces should be used? */
- required bool clone_newnet = 34 [ default = true ];
- required bool clone_newuser = 35 [ default = true ];
- required bool clone_newns = 36 [ default = true ];
- required bool clone_newpid = 37 [ default = true ];
- required bool clone_newipc = 38 [ default = true ];
- required bool clone_newuts = 39 [ default = true ];
+ required bool clone_newnet = 36 [ default = true ];
+ required bool clone_newuser = 37 [ default = true ];
+ required bool clone_newns = 38 [ default = true ];
+ required bool clone_newpid = 39 [ default = true ];
+ required bool clone_newipc = 40 [ default = true ];
+ required bool clone_newuts = 41 [ default = true ];
/* It's only supported in newer kernels, hence disabled by default */
- required bool clone_newcgroup = 40 [ default = false ];
+ required bool clone_newcgroup = 42 [ default = false ];
/* Mappings for UIDs and GIDs. See the description for 'msg IdMap'
for more */
- repeated IdMap uidmap = 41;
- repeated IdMap gidmap = 42;
+ repeated IdMap uidmap = 43;
+ repeated IdMap gidmap = 44;
/* Should /proc be mounted (R/O)? This can also be added in the 'mount'
section below */
- required bool mount_proc = 43 [ default = false ];
+ required bool mount_proc = 45 [ default = false ];
/* Mount points inside the jail. See the description for 'msg MountPt'
for more */
- repeated MountPt mount = 44;
+ repeated MountPt mount = 46;
/* Kafel seccomp-bpf policy file or a string:
Homepage of the project: https://github.com/google/kafel */
- optional string seccomp_policy_file = 45;
- optional string seccomp_string = 46;
+ optional string seccomp_policy_file = 47;
+ optional string seccomp_string = 48;
/* If > 0, maximum cumulative size of RAM used inside any jail */
- required uint64 cgroup_mem_max = 47 [ default = 0 ]; /* In MiB */
+ required uint64 cgroup_mem_max = 49 [ default = 0 ]; /* In MiB */
/* Mount point for cgroups-memory in your system */
- required string cgroup_mem_mount = 48 [ default = "/sys/fs/cgroup/memory" ];
+ required string cgroup_mem_mount = 50 [ default = "/sys/fs/cgroup/memory" ];
/* Writeable directory (for the nsjail user) under cgroup_mem_mount */
- required string cgroup_mem_parent = 49 [ default = "NSJAIL" ];
+ required string cgroup_mem_parent = 51 [ default = "NSJAIL" ];
/* If > 0, maximum number of PIDs (threads/processes) inside jail */
- required uint64 cgroup_pids_max = 50 [ default = 0 ];
+ required uint64 cgroup_pids_max = 52 [ default = 0 ];
/* Mount point for cgroups-pids in your system */
- required string cgroup_pids_mount = 51 [ default = "/sys/fs/cgroup/pids" ];
+ required string cgroup_pids_mount = 53 [ default = "/sys/fs/cgroup/pids" ];
/* Writeable directory (for the nsjail user) under cgroup_pids_mount */
- required string cgroup_pids_parent = 52 [ default = "NSJAIL" ];
+ required string cgroup_pids_parent = 54 [ default = "NSJAIL" ];
/* Should the 'lo' interface be brought up (active) inside this jail? */
- required bool iface_no_lo = 53 [ default = false ];
+ required bool iface_no_lo = 55 [ default = false ];
/* Parameters for the cloned MACVLAN interface inside jail */
- optional string macvlan_iface = 54; /* Interface to be cloned, eg 'eth0' */
- required string macvlan_vs_ip = 55 [ default = "192.168.0.2" ];
- required string macvlan_vs_nm = 56 [ default = "255.255.255.0" ];
- required string macvlan_vs_gw = 57 [ default = "192.168.0.1" ];
+ optional string macvlan_iface = 56; /* Interface to be cloned, eg 'eth0' */
+ required string macvlan_vs_ip = 57 [ default = "192.168.0.2" ];
+ required string macvlan_vs_nm = 58 [ default = "255.255.255.0" ];
+ required string macvlan_vs_gw = 59 [ default = "192.168.0.1" ];
/* Binary path (with arguments) to be executed. If not specified here, it
can be specified with cmd-line as "-- /path/to/command arg1 arg2" */
- optional Exe exec_bin = 58;
+ optional Exe exec_bin = 60;
}
projects / platform / upstream / nsjail.git / commitdiff