{{"config",required_argument,nullptr,'C'},"Configuration file in the config.proto ProtoBuf format (see configs/ directory for examples)"},
{{"exec_file",required_argument,nullptr,'x'},"File to exec (default: argv[0])"},
{{"execute_fd",no_argument,nullptr,0x0607},"Use execveat() to execute a file-descriptor instead of executing the binary path. In such case argv[0]/exec_file denotes a file path before mount namespacing"},
{{"chroot",required_argument,nullptr,'c'},"Directory containing / of the jail (default: none)"},
{{"no_pivotroot",no_argument,nullptr,0x600},"When creating a mount namespace, use mount(MS_MOVE) and chroot rather than pivot_root. Usefull when pivot_root is disallowed (e.g. initramfs). Note: escapable is some configuration"},
{{"rw",no_argument,nullptr,0x601},"Mount chroot dir (/) R/W (default: R/O)"},
{{"user",required_argument,nullptr,'u'},"Username/uid of processes inside the jail (default: your current uid). You can also use inside_ns_uid:outside_ns_uid:count convention here. Can be specified multiple times"},
{{"group",required_argument,nullptr,'g'},"Groupname/gid of processes inside the jail (default: your current gid). You can also use inside_ns_gid:global_ns_gid:count convention here. Can be specified multiple times"},
{{"hostname",required_argument,nullptr,'H'},"UTS name (hostname) of the jail (default: 'NSJAIL')"},
{{"cwd",required_argument,nullptr,'D'},"Directory in the namespace the process will run (default: '/')"},
{{"port",required_argument,nullptr,'p'},"TCP port to bind to (enables MODE_LISTEN_TCP) (default: 0)"},
{{"bindhost",required_argument,nullptr,0x604},"IP address to bind the port to (only in [MODE_LISTEN_TCP]), (default: '::')"},
{{"max_conns",required_argument,nullptr,0x608},"Maximum number of connections across all IPs (only in [MODE_LISTEN_TCP]), (default: 0 (unlimited))"},
{{"max_conns_per_ip",required_argument,nullptr,'i'},"Maximum number of connections per one IP (only in [MODE_LISTEN_TCP]), (default: 0 (unlimited))"},
{{"log",required_argument,nullptr,'l'},"Log file (default: use log_fd)"},
{{"keep_env",no_argument,nullptr,'e'},"Pass all environment variables to the child process (default: all envars are cleared)"},
{{"env",required_argument,nullptr,'E'},"Additional environment variable (can be used multiple times). If the envar doesn't contain '=' (e.g. just the 'DISPLAY' string), the current envar value will be used"},
{{"keep_caps",no_argument,nullptr,0x0501},"Don't drop any capabilities"},
{{"cap",required_argument,nullptr,0x0509},"Retain this capability, e.g. CAP_PTRACE (can be specified multiple times)"},
{{"silent",no_argument,nullptr,0x0502},"Redirect child process' fd:0/1/2 to /dev/null"},
{{"stderr_to_null",no_argument,nullptr,0x0503},"Redirect child process' fd:2 (STDERR_FILENO) to /dev/null"},
{{"skip_setsid",no_argument,nullptr,0x0504},"Don't call setsid(), allows for terminal signal handling in the sandboxed process. Dangerous"},
{{"pass_fd",required_argument,nullptr,0x0505},"Don't close this FD before executing the child process (can be specified multiple times), by default: 0/1/2 are kept open"},
{{"disable_no_new_privs",no_argument,nullptr,0x0507},"Don't set the prctl(NO_NEW_PRIVS, 1) (DANGEROUS)"},
{{"rlimit_as",required_argument,nullptr,0x0201},"RLIMIT_AS in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 4096)"},
{{"rlimit_core",required_argument,nullptr,0x0202},"RLIMIT_CORE in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 0)"},
{{"rlimit_cpu",required_argument,nullptr,0x0203},"RLIMIT_CPU, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 600)"},
{{"rlimit_fsize",required_argument,nullptr,0x0204},"RLIMIT_FSIZE in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 1)"},
{{"rlimit_nofile",required_argument,nullptr,0x0205},"RLIMIT_NOFILE, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 32)"},
{{"rlimit_nproc",required_argument,nullptr,0x0206},"RLIMIT_NPROC, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')"},
{{"rlimit_stack",required_argument,nullptr,0x0207},"RLIMIT_STACK in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')"},
{{"rlimit_memlock",required_argument,nullptr,0x0209},"RLIMIT_MEMLOCK in KB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')"},
{{"rlimit_rtprio",required_argument,nullptr,0x0210},"RLIMIT_RTPRIO, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')"},
{{"rlimit_msgqueue",required_argument,nullptr,0x0211},"RLIMIT_MSGQUEUE in bytes, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')"},
{{"disable_rlimits",no_argument,nullptr,0x0208},"Disable all rlimits, default to limits set by parent"},
{{"disable_clone_newnet",no_argument,nullptr,'N'},"Don't use CLONE_NEWNET. Enable global networking inside the jail"},
{{"disable_clone_newuser",no_argument,nullptr,0x0402},"Don't use CLONE_NEWUSER. Requires euid==0"},
{{"disable_clone_newns",no_argument,nullptr,0x0403},"Don't use CLONE_NEWNS"},
{{"disable_clone_newpid",no_argument,nullptr,0x0404},"Don't use CLONE_NEWPID"},
{{"disable_clone_newipc",no_argument,nullptr,0x0405},"Don't use CLONE_NEWIPC"},
{{"disable_clone_newuts",no_argument,nullptr,0x0406},"Don't use CLONE_NEWUTS"},
{{"disable_clone_newcgroup",no_argument,nullptr,0x0407},"Don't use CLONE_NEWCGROUP. Might be required for kernel versions < 4.6"},
{{"enable_clone_newtime",no_argument,nullptr,0x0408},"Use CLONE_NEWTIME. Supported with kernel versions >= 5.3"},
{{"uid_mapping",required_argument,nullptr,'U'},"Add a custom uid mapping of the form inside_uid:outside_uid:count. Setting this requires newuidmap (set-uid) to be present"},
{{"gid_mapping",required_argument,nullptr,'G'},"Add a custom gid mapping of the form inside_gid:outside_gid:count. Setting this requires newgidmap (set-uid) to be present"},
{{"bindmount_ro",required_argument,nullptr,'R'},"List of mountpoints to be mounted --bind (ro) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'"},
{{"bindmount",required_argument,nullptr,'B'},"List of mountpoints to be mounted --bind (rw) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'"},
{{"tmpfsmount",required_argument,nullptr,'T'},"List of mountpoints to be mounted as tmpfs (R/W) inside the container. Can be specified multiple times. Supports 'dest' syntax. Alternatively, use '-m none:dest:tmpfs:size=8388608'"},
{{"mount",required_argument,nullptr,'m'},"Arbitrary mount, format src:dst:fs_type:options"},
{{"symlink",required_argument,nullptr,'s'},"Symlink, format src:dst"},
{{"disable_proc",no_argument,nullptr,0x0603},"Disable mounting procfs in the jail"},
{{"proc_path",required_argument,nullptr,0x0605},"Path used to mount procfs (default: '/proc')"},
{{"proc_rw",no_argument,nullptr,0x0606},"Is procfs mounted as R/W (default: R/O)"},
{{"seccomp_policy",required_argument,nullptr,'P'},"Path to file containing seccomp-bpf policy (see kafel/)"},
{{"seccomp_string",required_argument,nullptr,0x0901},"String with kafel seccomp-bpf policy (see kafel/)"},
{{"seccomp_log",no_argument,nullptr,0x0902},"Use SECCOMP_FILTER_FLAG_LOG. Log all actions except SECCOMP_RET_ALLOW). Supported since kernel version 4.14"},
{{"nice_level",required_argument,nullptr,0x0903},"Set jailed process niceness (-20 is highest -priority, 19 is lowest). By default, set to 19"},
{{"cgroup_mem_max",required_argument,nullptr,0x0801},"Maximum number of bytes to use in the group (default: '0' - disabled)"},
{{"cgroup_mem_memsw_max",required_argument,nullptr,0x0804},"Maximum number of memory+swap bytes to use (default: '0' - disabled)"},
{{"cgroup_mem_swap_max",required_argument,nullptr,0x0805},"Maximum number of swap bytes to use (default: '-1' - disabled)"},
{{"cgroup_mem_mount",required_argument,nullptr,0x0802},"Location of memory cgroup FS (default: '/sys/fs/cgroup/memory')"},
{{"cgroup_mem_parent",required_argument,nullptr,0x0803},"Which pre-existing memory cgroup to use as a parent (default: 'NSJAIL')"},
{{"cgroup_pids_max",required_argument,nullptr,0x0811},"Maximum number of pids in a cgroup (default: '0' - disabled)"},
{{"cgroup_pids_mount",required_argument,nullptr,0x0812},"Location of pids cgroup FS (default: '/sys/fs/cgroup/pids')"},
{{"cgroup_pids_parent",required_argument,nullptr,0x0813},"Which pre-existing pids cgroup to use as a parent (default: 'NSJAIL')"},
{{"cgroup_net_cls_classid",required_argument,nullptr,0x0821},"Class identifier of network packets in the group (default: '0' - disabled)"},
{{"cgroup_net_cls_mount",required_argument,nullptr,0x0822},"Location of net_cls cgroup FS (default: '/sys/fs/cgroup/net_cls')"},
{{"cgroup_net_cls_parent",required_argument,nullptr,0x0823},"Which pre-existing net_cls cgroup to use as a parent (default: 'NSJAIL')"},
{{"cgroup_cpu_ms_per_sec",required_argument,nullptr,0x0831},"Number of milliseconds of CPU time per second that the process group can use (default: '0' - no limit)"},
{{"cgroup_cpu_mount",required_argument,nullptr,0x0832},"Location of cpu cgroup FS (default: '/sys/fs/cgroup/cpu')"},
{{"cgroup_cpu_parent",required_argument,nullptr,0x0833},"Which pre-existing cpu cgroup to use as a parent (default: 'NSJAIL')"},
{{"cgroupv2_mount",required_argument,nullptr,0x0834},"Location of cgroupv2 directory (default: '/sys/fs/cgroup')"},
{{"detect_cgroupv2",no_argument,nullptr,0x0836},"Use cgroupv2, if it is available. (Specify instead of use_cgroupv2)"},
{{"iface_no_lo",no_argument,nullptr,0x700},"Don't bring the 'lo' interface up"},
{{"iface_own",required_argument,nullptr,0x704},"Move this existing network interface into the new NET namespace. Can be specified multiple times"},
{{"macvlan_iface",required_argument,nullptr,'I'},"Interface which will be cloned (MACVLAN) and put inside the subprocess' namespace as 'vs'"},
{{"macvlan_vs_ip",required_argument,nullptr,0x701},"IP of the 'vs' interface (e.g. \"192.168.0.1\")"},
{{"macvlan_vs_nm",required_argument,nullptr,0x702},"Netmask of the 'vs' interface (e.g. \"255.255.255.0\")"},
{{"macvlan_vs_gw",required_argument,nullptr,0x703},"Default GW for the 'vs' interface (e.g. \"192.168.0.1\")"},
{{"macvlan_vs_ma",required_argument,nullptr,0x705},"MAC-address of the 'vs' interface (e.g. \"ba:ad:ba:be:45:00\")"},
{{"macvlan_vs_mo",required_argument,nullptr,0x706},"Mode of the 'vs' interface. Can be either 'private', 'vepa', 'bridge' or 'passthru' (default: 'private')"},
{{"disable_tsc",no_argument,nullptr,0x707},"Disable rdtsc and rdtscp instructions. WARNING: To make it effective, you also need to forbid `prctl(PR_SET_TSC, PR_TSC_ENABLE, ...)` in seccomp rules! (x86 and x86_64 only). Dynamic binaries produced by GCC seem to rely on RDTSC, but static ones should work."},