Ophestra
6309469e93
All checks were successful
Test / Create distribution (push) Successful in 26s
Test / Sandbox (push) Successful in 1m44s
Test / Fortify (push) Successful in 2m37s
Test / Sandbox (race detector) (push) Successful in 2m59s
Test / Fpkg (push) Successful in 3m34s
Test / Fortify (race detector) (push) Successful in 4m6s
Test / Flake checks (push) Successful in 59s
This reduces the scope of the fst package, which was growing questionably large. Signed-off-by: Ophestra <cat@gensokyo.uk>
64 lines
2.0 KiB
Go
64 lines
2.0 KiB
Go
package fst
|
|
|
|
import (
|
|
"git.gensokyo.uk/security/fortify/sandbox/seccomp"
|
|
)
|
|
|
|
// SandboxConfig describes resources made available to the sandbox.
|
|
type (
|
|
SandboxConfig struct {
|
|
// container hostname
|
|
Hostname string `json:"hostname,omitempty"`
|
|
|
|
// extra seccomp flags
|
|
Seccomp seccomp.FilterOpts `json:"seccomp"`
|
|
// allow ptrace and friends
|
|
Devel bool `json:"devel,omitempty"`
|
|
// allow userns creation in container
|
|
Userns bool `json:"userns,omitempty"`
|
|
// share host net namespace
|
|
Net bool `json:"net,omitempty"`
|
|
// expose main process tty
|
|
Tty bool `json:"tty,omitempty"`
|
|
// allow multiarch
|
|
Multiarch bool `json:"multiarch,omitempty"`
|
|
|
|
// initial process environment variables
|
|
Env map[string]string `json:"env"`
|
|
// map target user uid to privileged user uid in the user namespace
|
|
MapRealUID bool `json:"map_real_uid"`
|
|
|
|
// expose all devices
|
|
Device bool `json:"device,omitempty"`
|
|
// container host filesystem bind mounts
|
|
Filesystem []*FilesystemConfig `json:"filesystem"`
|
|
// create symlinks inside container filesystem
|
|
Link [][2]string `json:"symlink"`
|
|
|
|
// direct access to wayland socket; when this gets set no attempt is made to attach security-context-v1
|
|
// and the bare socket is mounted to the sandbox
|
|
DirectWayland bool `json:"direct_wayland,omitempty"`
|
|
|
|
// read-only /etc directory
|
|
Etc string `json:"etc,omitempty"`
|
|
// automatically set up /etc symlinks
|
|
AutoEtc bool `json:"auto_etc"`
|
|
// cover these paths or create them if they do not already exist
|
|
Cover []string `json:"cover"`
|
|
}
|
|
|
|
// FilesystemConfig is a representation of [sandbox.BindMount].
|
|
FilesystemConfig struct {
|
|
// mount point in container, same as src if empty
|
|
Dst string `json:"dst,omitempty"`
|
|
// host filesystem path to make available to the container
|
|
Src string `json:"src"`
|
|
// do not mount filesystem read-only
|
|
Write bool `json:"write,omitempty"`
|
|
// do not disable device files
|
|
Device bool `json:"dev,omitempty"`
|
|
// fail if the bind mount cannot be established for any reason
|
|
Must bool `json:"require,omitempty"`
|
|
}
|
|
)
|