config: switch is_ro to rw

2017-05-28 01:24:55 +02:00 · 2017-05-28 01:24:55 +02:00 · a2bbe667b9
commit a2bbe667b9
parent b5b47938d9
7 changed files with 1667 additions and 1585 deletions
--- a/config.c
+++ b/config.c
@ -180,7 +180,7 @@ static bool configParseInternal(struct nsjconf_t *nsjconf, Nsjail__NsJailConfig
 		const char *fstype = njc->mount[i]->fstype;
 		const char *options = njc->mount[i]->options;
-		uintptr_t flags = njc->mount[i]->is_ro ? MS_RDONLY : 0;
+		uintptr_t flags = (njc->mount[i]->rw == false) ? MS_RDONLY : 0;
 		flags |= njc->mount[i]->is_bind ? (MS_BIND | MS_REC) : 0;
 		bool mandatory = njc->mount[i]->mandatory;
--- a/config.pb-c.c
+++ b/config.pb-c.c
--- a/config.pb-c.h
+++ b/config.pb-c.h
@ -7,73 +7,80 @@
 #include <protobuf-c/protobuf-c.h>
 PROTOBUF_C__BEGIN_DECLS
 #if PROTOBUF_C_VERSION_NUMBER < 1000000
-#error This file was generated by a newer version of protoc-c which is incompatible with your libprotobuf-c headers. Please update your headers.
+# error This file was generated by a newer version of protoc-c which is incompatible with your libprotobuf-c headers. Please update your headers.
 #elif 1002001 < PROTOBUF_C_MIN_COMPILER_VERSION
-#error This file was generated by an older version of protoc-c which is incompatible with your libprotobuf-c headers. Please regenerate this file with a newer version of protoc-c.
+# error This file was generated by an older version of protoc-c which is incompatible with your libprotobuf-c headers. Please regenerate this file with a newer version of protoc-c.
 #endif
 typedef struct _Nsjail__IdMap Nsjail__IdMap;
 typedef struct _Nsjail__MountPt Nsjail__MountPt;
 typedef struct _Nsjail__Exe Nsjail__Exe;
 typedef struct _Nsjail__NsJailConfig Nsjail__NsJailConfig;
 /* --- enums --- */
 typedef enum _Nsjail__Mode {
-	/*
+  /*
-	 * Listening on a TCP port 
+   * Listening on a TCP port 
-	 */
+   */
-	NSJAIL__MODE__LISTEN = 0,
+  NSJAIL__MODE__LISTEN = 0,
-	/*
+  /*
-	 * Running the command once only 
+   * Running the command once only 
-	 */
+   */
-	NSJAIL__MODE__ONCE = 1,
+  NSJAIL__MODE__ONCE = 1,
-	/*
+  /*
-	 * Re-executing the command (forever) 
+   * Re-executing the command (forever) 
-	 */
+   */
-	NSJAIL__MODE__RERUN = 2,
+  NSJAIL__MODE__RERUN = 2,
-	/*
+  /*
-	 * Executing command w/o the supervisor 
+   * Executing command w/o the supervisor 
-	 */
+   */
-	NSJAIL__MODE__EXECVE = 3 PROTOBUF_C__FORCE_ENUM_TO_BE_INT_SIZE(NSJAIL__MODE)
+  NSJAIL__MODE__EXECVE = 3
    PROTOBUF_C__FORCE_ENUM_TO_BE_INT_SIZE(NSJAIL__MODE)
 } Nsjail__Mode;
 /*
 * Should be self explanatory 
 */
 typedef enum _Nsjail__LogLevel {
-	/*
+  /*
-	 * Equivalent to the '-v' cmd-line option 
+   * Equivalent to the '-v' cmd-line option 
-	 */
+   */
-	NSJAIL__LOG_LEVEL__DEBUG = 0,
+  NSJAIL__LOG_LEVEL__DEBUG = 0,
-	/*
+  /*
-	 * Default level 
+   * Default level 
-	 */
+   */
-	NSJAIL__LOG_LEVEL__INFO = 1,
+  NSJAIL__LOG_LEVEL__INFO = 1,
-	/*
+  /*
-	 * Equivalent to the '-q' cmd-line option 
+   * Equivalent to the '-q' cmd-line option 
-	 */
+   */
-	NSJAIL__LOG_LEVEL__WARNING = 2,
+  NSJAIL__LOG_LEVEL__WARNING = 2,
-	NSJAIL__LOG_LEVEL__ERROR = 3,
+  NSJAIL__LOG_LEVEL__ERROR = 3,
-	NSJAIL__LOG_LEVEL__FATAL = 4 PROTOBUF_C__FORCE_ENUM_TO_BE_INT_SIZE(NSJAIL__LOG_LEVEL)
+  NSJAIL__LOG_LEVEL__FATAL = 4
    PROTOBUF_C__FORCE_ENUM_TO_BE_INT_SIZE(NSJAIL__LOG_LEVEL)
 } Nsjail__LogLevel;
 /* --- messages --- */
-struct _Nsjail__IdMap {
+struct  _Nsjail__IdMap
-	ProtobufCMessage base;
+{
-	/*
+  ProtobufCMessage base;
-	 * Empty string means "current uid/gid" 
+  /*
-	 */
+   * Empty string means "current uid/gid" 
-	char *inside_id;
+   */
-	char *outside_id;
+  char *inside_id;
-	/*
+  char *outside_id;
-	 * See 'man user_namespaces' for the meaning of count 
+  /*
-	 */
+   * See 'man user_namespaces' for the meaning of count 
-	uint32_t count;
+   */
-	/*
+  uint32_t count;
-	 * Does this map use /usr/bin/new[u|g]idmap binary? 
+  /*
-	 */
+   * Does this map use /usr/bin/new[u|g]idmap binary? 
-	protobuf_c_boolean use_newidmap;
+   */
  protobuf_c_boolean use_newidmap;
 };
 extern char nsjail__id_map__inside_id__default_value[];
 extern char nsjail__id_map__outside_id__default_value[];
@ -81,50 +88,52 @@ extern char nsjail__id_map__outside_id__default_value[];
 { PROTOBUF_C_MESSAGE_INIT (&nsjail__id_map__descriptor) \
    , nsjail__id_map__inside_id__default_value, nsjail__id_map__outside_id__default_value, 1u, 0 }
-struct _Nsjail__MountPt {
+
-	ProtobufCMessage base;
+struct  _Nsjail__MountPt
-	/*
+{
-	 * Can be skipped for filesystems like 'proc' 
+  ProtobufCMessage base;
-	 */
+  /*
-	char *src;
+   * Can be skipped for filesystems like 'proc' 
-	/*
+   */
-	 * Should 'src' path be prefixed with this envvar? 
+  char *src;
-	 */
+  /*
-	char *prefix_src_env;
+   * Should 'src' path be prefixed with this envvar? 
-	/*
+   */
-	 * Mount point inside jail 
+  char *prefix_src_env;
-	 */
+  /*
-	char *dst;
+   * Mount point inside jail 
-	/*
+   */
-	 * Should 'dst' path be prefixed with this envvar? 
+  char *dst;
-	 */
+  /*
-	char *prefix_dst_env;
+   * Should 'dst' path be prefixed with this envvar? 
-	/*
+   */
-	 * Can be empty for mount --bind mounts 
+  char *prefix_dst_env;
-	 */
+  /*
-	char *fstype;
+   * Can be empty for mount --bind mounts 
-	/*
+   */
-	 * E.g. size=5000000 for 'tmpfs' 
+  char *fstype;
-	 */
+  /*
-	char *options;
+   * E.g. size=5000000 for 'tmpfs' 
-	/*
+   */
-	 * Is it 'mount --bind src dst' type of mount 
+  char *options;
-	 */
+  /*
-	protobuf_c_boolean is_bind;
+   * Is it 'mount --bind src dst' type of mount 
-	/*
+   */
-	 * It it RO mount 
+  protobuf_c_boolean is_bind;
-	 */
+  /*
-	protobuf_c_boolean is_ro;
+   * It it R/W mount 
-	/*
+   */
-	 * Is it directory? If not specified an internal
+  protobuf_c_boolean rw;
-	 *heuristics will be used to determine that 
+  /*
-	 */
+   * Is it directory? If not specified an internal
-	protobuf_c_boolean has_is_dir;
+   *heuristics will be used to determine that 
-	protobuf_c_boolean is_dir;
+   */
-	/*
+  protobuf_c_boolean has_is_dir;
-	 * Should the sandboxing fail if we cannot mount this resource? 
+  protobuf_c_boolean is_dir;
-	 */
+  /*
-	protobuf_c_boolean mandatory;
+   * Should the sandboxing fail if we cannot mount this resource? 
   */
  protobuf_c_boolean mandatory;
 };
 extern char nsjail__mount_pt__fstype__default_value[];
 extern char nsjail__mount_pt__options__default_value[];
@ -132,234 +141,238 @@ extern char nsjail__mount_pt__options__default_value[];
 { PROTOBUF_C_MESSAGE_INIT (&nsjail__mount_pt__descriptor) \
    , NULL, NULL, NULL, NULL, nsjail__mount_pt__fstype__default_value, nsjail__mount_pt__options__default_value, 0, 0, 0,0, 1 }
-struct _Nsjail__Exe {
+
-	ProtobufCMessage base;
+struct  _Nsjail__Exe
-	/*
+{
-	 * Will be used both as execv's path and as argv[0] 
+  ProtobufCMessage base;
-	 */
+  /*
-	char *path;
+   * Will be used both as execv's path and as argv[0] 
-	/*
+   */
-	 * This will be argv[1] and so on.. 
+  char *path;
-	 */
+  /*
-	size_t n_arg;
+   * This will be argv[1] and so on.. 
-	char **arg;
+   */
  size_t n_arg;
  char **arg;
 };
 #define NSJAIL__EXE__INIT \
 { PROTOBUF_C_MESSAGE_INIT (&nsjail__exe__descriptor) \
    , NULL, 0,NULL }
-struct _Nsjail__NsJailConfig {
+
-	ProtobufCMessage base;
+struct  _Nsjail__NsJailConfig
-	/*
+{
-	 * Optional name and description for this config 
+  ProtobufCMessage base;
-	 */
+  /*
-	char *name;
+   * Optional name and description for this config 
-	char *description;
+   */
-	/*
+  char *name;
-	 * Execution mode: see 'msg Mode' description for more 
+  char *description;
-	 */
+  /*
-	Nsjail__Mode mode;
+   * Execution mode: see 'msg Mode' description for more 
-	/*
+   */
-	 * Equivalent to a bind mount with dst='/' 
+  Nsjail__Mode mode;
-	 */
+  /*
-	char *chroot_dir;
+   * Equivalent to a bind mount with dst='/' 
-	/*
+   */
-	 * Applies both to the chroot_dir and to /proc mounts 
+  char *chroot_dir;
-	 */
+  /*
-	protobuf_c_boolean is_root_rw;
+   * Applies both to the chroot_dir and to /proc mounts 
-	/*
+   */
-	 * Hostname inside jail 
+  protobuf_c_boolean is_root_rw;
-	 */
+  /*
-	char *hostname;
+   * Hostname inside jail 
-	/*
+   */
-	 * Initial current working directory for the binary 
+  char *hostname;
-	 */
+  /*
-	char *cwd;
+   * Initial current working directory for the binary 
-	/*
+   */
-	 * TCP port to listen to. Valid with mode=LISTEN only 
+  char *cwd;
-	 */
+  /*
-	uint32_t port;
+   * TCP port to listen to. Valid with mode=LISTEN only 
-	/*
+   */
-	 * Host to bind to for mode=LISTEN. Must be in IPv6 format 
+  uint32_t port;
-	 */
+  /*
-	char *bindhost;
+   * Host to bind to for mode=LISTEN. Must be in IPv6 format 
-	/*
+   */
-	 * For mode=LISTEN, maximum number of connections from a single IP 
+  char *bindhost;
-	 */
+  /*
-	uint32_t max_conns_per_ip;
+   * For mode=LISTEN, maximum number of connections from a single IP 
-	/*
+   */
-	 * Wall-time time limit for commands 
+  uint32_t max_conns_per_ip;
-	 */
+  /*
-	uint32_t time_limit;
+   * Wall-time time limit for commands 
-	/*
+   */
-	 * Should nsjail go into background? 
+  uint32_t time_limit;
-	 */
+  /*
-	protobuf_c_boolean daemon;
+   * Should nsjail go into background? 
-	/*
+   */
-	 * File to save lofs to 
+  protobuf_c_boolean daemon;
-	 */
+  /*
-	char *log_file;
+   * File to save lofs to 
-	/*
+   */
-	 * Minimum log level displayed.
+  char *log_file;
-	 *See 'msg LogLevel' description for more 
+  /*
-	 */
+   * Minimum log level displayed.
-	protobuf_c_boolean has_log_level;
+   *See 'msg LogLevel' description for more 
-	Nsjail__LogLevel log_level;
+   */
-	/*
+  protobuf_c_boolean has_log_level;
-	 * Should the current environment variables be kept
+  Nsjail__LogLevel log_level;
-	 *when executing the binary 
+  /*
-	 */
+   * Should the current environment variables be kept
-	protobuf_c_boolean keep_env;
+   *when executing the binary 
-	/*
+   */
-	 * EnvVars to be set before executing binaries 
+  protobuf_c_boolean keep_env;
-	 */
+  /*
-	size_t n_envar;
+   * EnvVars to be set before executing binaries 
-	char **envar;
+   */
-	/*
+  size_t n_envar;
-	 * Should nsjail close FD=0,1,2 before executing the process 
+  char **envar;
-	 */
+  /*
-	protobuf_c_boolean silent;
+   * Should nsjail close FD=0,1,2 before executing the process 
-	/*
+   */
-	 * Should the child process have control over terminal?
+  protobuf_c_boolean silent;
-	 *Can be useful to allow /bin/sh to provide
+  /*
-	 *job control / signals 
+   * Should the child process have control over terminal?
-	 */
+   *Can be useful to allow /bin/sh to provide
-	protobuf_c_boolean skip_setsid;
+   *job control / signals 
-	/*
+   */
-	 * Which FDs should be passed to the newly executed process
+  protobuf_c_boolean skip_setsid;
-	 *By default only FD=0,1,2 are passed 
+  /*
-	 */
+   * Which FDs should be passed to the newly executed process
-	size_t n_pass_fd;
+   *By default only FD=0,1,2 are passed 
-	int32_t *pass_fd;
+   */
-	/*
+  size_t n_pass_fd;
-	 * Should pivot_root be used instead of chroot?
+  int32_t *pass_fd;
-	 *Using pivot_root allows to have subnamespaces 
+  /*
-	 */
+   * Should pivot_root be used instead of chroot?
-	protobuf_c_boolean pivot_root_only;
+   *Using pivot_root allows to have subnamespaces 
-	/*
+   */
-	 * Setting it to true will allow to have set-uid binaries
+  protobuf_c_boolean pivot_root_only;
-	 *inside the jail 
+  /*
-	 */
+   * Setting it to true will allow to have set-uid binaries
-	protobuf_c_boolean disable_no_new_privs;
+   *inside the jail 
-	/*
+   */
-	 * In MiB 
+  protobuf_c_boolean disable_no_new_privs;
-	 */
+  /*
-	uint64_t rlimit_as;
+   * In MiB 
-	/*
+   */
-	 * In MiB 
+  uint64_t rlimit_as;
-	 */
+  /*
-	uint64_t rlimit_core;
+   * In MiB 
-	/*
+   */
-	 * In seconds 
+  uint64_t rlimit_core;
-	 */
+  /*
-	uint64_t rlimit_cpu;
+   * In seconds 
-	/*
+   */
-	 * In MiB 
+  uint64_t rlimit_cpu;
-	 */
+  /*
-	uint64_t rlimit_fsize;
+   * In MiB 
-	uint64_t rlimit_nofile;
+   */
-	/*
+  uint64_t rlimit_fsize;
-	 * This is system-wide: tricky to use 
+  uint64_t rlimit_nofile;
-	 */
+  /*
-	protobuf_c_boolean has_rlimit_nproc;
+   * This is system-wide: tricky to use 
-	uint64_t rlimit_nproc;
+   */
-	/*
+  protobuf_c_boolean has_rlimit_nproc;
-	 * In MiB 
+  uint64_t rlimit_nproc;
-	 */
+  /*
-	protobuf_c_boolean has_rlimit_stack;
+   * In MiB 
-	uint64_t rlimit_stack;
+   */
-	/*
+  protobuf_c_boolean has_rlimit_stack;
-	 * See 'man personality' for more 
+  uint64_t rlimit_stack;
-	 */
+  /*
-	protobuf_c_boolean persona_addr_compat_layout;
+   * See 'man personality' for more 
-	protobuf_c_boolean persona_mmap_page_zero;
+   */
-	protobuf_c_boolean persona_read_implies_exec;
+  protobuf_c_boolean persona_addr_compat_layout;
-	protobuf_c_boolean persona_addr_limit_3gb;
+  protobuf_c_boolean persona_mmap_page_zero;
-	protobuf_c_boolean persona_addr_no_randomize;
+  protobuf_c_boolean persona_read_implies_exec;
-	/*
+  protobuf_c_boolean persona_addr_limit_3gb;
-	 * Which name-spaces should be used? 
+  protobuf_c_boolean persona_addr_no_randomize;
-	 */
+  /*
-	protobuf_c_boolean clone_newnet;
+   * Which name-spaces should be used? 
-	protobuf_c_boolean clone_newuser;
+   */
-	protobuf_c_boolean clone_newns;
+  protobuf_c_boolean clone_newnet;
-	protobuf_c_boolean clone_newpid;
+  protobuf_c_boolean clone_newuser;
-	protobuf_c_boolean clone_newipc;
+  protobuf_c_boolean clone_newns;
-	protobuf_c_boolean clone_newuts;
+  protobuf_c_boolean clone_newpid;
-	/*
+  protobuf_c_boolean clone_newipc;
-	 * It's only supported in newer kernels, hence disabled by default 
+  protobuf_c_boolean clone_newuts;
-	 */
+  /*
-	protobuf_c_boolean clone_newcgroup;
+   * It's only supported in newer kernels, hence disabled by default 
-	/*
+   */
-	 * Mappings for UIDs and GIDs. See the description for 'msg IdMap'
+  protobuf_c_boolean clone_newcgroup;
-	 *for more 
+  /*
-	 */
+   * Mappings for UIDs and GIDs. See the description for 'msg IdMap'
-	size_t n_uidmap;
+   *for more 
-	Nsjail__IdMap **uidmap;
+   */
-	size_t n_gidmap;
+  size_t n_uidmap;
-	Nsjail__IdMap **gidmap;
+  Nsjail__IdMap **uidmap;
-	/*
+  size_t n_gidmap;
-	 * Should /proc be mounted (R/O)? This can also be added in the 'mount'
+  Nsjail__IdMap **gidmap;
-	 *section below 
+  /*
-	 */
+   * Should /proc be mounted (R/O)? This can also be added in the 'mount'
-	protobuf_c_boolean mount_proc;
+   *section below 
-	/*
+   */
-	 * Mount points inside the jail. See the description for 'msg MountPt'
+  protobuf_c_boolean mount_proc;
-	 *for more 
+  /*
-	 */
+   * Mount points inside the jail. See the description for 'msg MountPt'
-	size_t n_mount;
+   *for more 
-	Nsjail__MountPt **mount;
+   */
-	/*
+  size_t n_mount;
-	 * Kafel seccomp-bpf policy file or a string:
+  Nsjail__MountPt **mount;
-	 *Homepage of the project: https://github.com/google/kafel 
+  /*
-	 */
+   * Kafel seccomp-bpf policy file or a string:
-	char *seccomp_policy_file;
+   *Homepage of the project: https://github.com/google/kafel 
-	char *seccomp_string;
+   */
-	/*
+  char *seccomp_policy_file;
-	 * If > 0, maximum cumulative size of RAM used inside any jail 
+  char *seccomp_string;
-	 */
+  /*
-	/*
+   * If > 0, maximum cumulative size of RAM used inside any jail 
-	 * In MiB 
+   */
-	 */
+  /*
-	uint64_t cgroup_mem_max;
+   * In MiB 
-	/*
+   */
-	 * Mount point for cgroups-memory in your system 
+  uint64_t cgroup_mem_max;
-	 */
+  /*
-	char *cgroup_mem_mount;
+   * Mount point for cgroups-memory in your system 
-	/*
+   */
-	 * Writeable directory (for the nsjail user) under cgroup_mem_mount 
+  char *cgroup_mem_mount;
-	 */
+  /*
-	char *cgroup_mem_parent;
+   * Writeable directory (for the nsjail user) under cgroup_mem_mount 
-	/*
+   */
-	 * If > 0, maximum number of PIDs (threads/processes) inside jail 
+  char *cgroup_mem_parent;
-	 */
+  /*
-	uint64_t cgroup_pids_max;
+   * If > 0, maximum number of PIDs (threads/processes) inside jail 
-	/*
+   */
-	 * Mount point for cgroups-pids in your system 
+  uint64_t cgroup_pids_max;
-	 */
+  /*
-	char *cgroup_pids_mount;
+   * Mount point for cgroups-pids in your system 
-	/*
+   */
-	 * Writeable directory (for the nsjail user) under cgroup_pids_mount 
+  char *cgroup_pids_mount;
-	 */
+  /*
-	char *cgroup_pids_parent;
+   * Writeable directory (for the nsjail user) under cgroup_pids_mount 
-	/*
+   */
-	 * Should the 'lo' interface be brought up (active) inside this jail? 
+  char *cgroup_pids_parent;
-	 */
+  /*
-	protobuf_c_boolean iface_no_lo;
+   * Should the 'lo' interface be brought up (active) inside this jail? 
-	/*
+   */
-	 * Parameters for the cloned MACVLAN interface inside jail 
+  protobuf_c_boolean iface_no_lo;
-	 */
+  /*
-	/*
+   * Parameters for the cloned MACVLAN interface inside jail 
-	 * Interface to be cloned, eg 'eth0' 
+   */
-	 */
+  /*
-	char *macvlan_iface;
+   * Interface to be cloned, eg 'eth0' 
-	char *macvlan_vs_ip;
+   */
-	char *macvlan_vs_nm;
+  char *macvlan_iface;
-	char *macvlan_vs_gw;
+  char *macvlan_vs_ip;
-	/*
+  char *macvlan_vs_nm;
-	 * Binary path (with arguments) to be executed. If not specified here, it
+  char *macvlan_vs_gw;
-	 *can be specified with cmd-line as "-- /path/to/command arg1 arg2" 
+  /*
-	 */
+   * Binary path (with arguments) to be executed. If not specified here, it
-	Nsjail__Exe *exec_bin;
+   *can be specified with cmd-line as "-- /path/to/command arg1 arg2" 
   */
  Nsjail__Exe *exec_bin;
 };
 extern char nsjail__ns_jail_config__name__default_value[];
 extern char nsjail__ns_jail_config__description__default_value[];
@ -377,60 +390,111 @@ extern char nsjail__ns_jail_config__macvlan_vs_gw__default_value[];
 { PROTOBUF_C_MESSAGE_INIT (&nsjail__ns_jail_config__descriptor) \
    , nsjail__ns_jail_config__name__default_value, nsjail__ns_jail_config__description__default_value, NSJAIL__MODE__ONCE, NULL, 0, nsjail__ns_jail_config__hostname__default_value, nsjail__ns_jail_config__cwd__default_value, 0u, nsjail__ns_jail_config__bindhost__default_value, 0u, 600u, 0, NULL, 0,0, 0, 0,NULL, 0, 0, 0,NULL, 0, 0, 512ull, 0ull, 600ull, 1ull, 32ull, 0,0, 0,0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 0, 0,NULL, 0,NULL, 0, 0,NULL, NULL, NULL, 0ull, nsjail__ns_jail_config__cgroup_mem_mount__default_value, nsjail__ns_jail_config__cgroup_mem_parent__default_value, 0ull, nsjail__ns_jail_config__cgroup_pids_mount__default_value, nsjail__ns_jail_config__cgroup_pids_parent__default_value, 0, NULL, nsjail__ns_jail_config__macvlan_vs_ip__default_value, nsjail__ns_jail_config__macvlan_vs_nm__default_value, nsjail__ns_jail_config__macvlan_vs_gw__default_value, NULL }
 /* Nsjail__IdMap methods */
-void nsjail__id_map__init(Nsjail__IdMap * message);
+void   nsjail__id_map__init
-size_t nsjail__id_map__get_packed_size(const Nsjail__IdMap * message);
+                     (Nsjail__IdMap         *message);
-size_t nsjail__id_map__pack(const Nsjail__IdMap * message, uint8_t * out);
+size_t nsjail__id_map__get_packed_size
-size_t nsjail__id_map__pack_to_buffer(const Nsjail__IdMap * message, ProtobufCBuffer * buffer);
+                     (const Nsjail__IdMap   *message);
-Nsjail__IdMap *nsjail__id_map__unpack
+size_t nsjail__id_map__pack
-    (ProtobufCAllocator * allocator, size_t len, const uint8_t * data);
+                     (const Nsjail__IdMap   *message,
-void nsjail__id_map__free_unpacked(Nsjail__IdMap * message, ProtobufCAllocator * allocator);
+                      uint8_t             *out);
 size_t nsjail__id_map__pack_to_buffer
                     (const Nsjail__IdMap   *message,
                      ProtobufCBuffer     *buffer);
 Nsjail__IdMap *
       nsjail__id_map__unpack
                     (ProtobufCAllocator  *allocator,
                      size_t               len,
                      const uint8_t       *data);
 void   nsjail__id_map__free_unpacked
                     (Nsjail__IdMap *message,
                      ProtobufCAllocator *allocator);
 /* Nsjail__MountPt methods */
-void nsjail__mount_pt__init(Nsjail__MountPt * message);
+void   nsjail__mount_pt__init
-size_t nsjail__mount_pt__get_packed_size(const Nsjail__MountPt * message);
+                     (Nsjail__MountPt         *message);
-size_t nsjail__mount_pt__pack(const Nsjail__MountPt * message, uint8_t * out);
+size_t nsjail__mount_pt__get_packed_size
-size_t nsjail__mount_pt__pack_to_buffer(const Nsjail__MountPt * message, ProtobufCBuffer * buffer);
+                     (const Nsjail__MountPt   *message);
-Nsjail__MountPt *nsjail__mount_pt__unpack
+size_t nsjail__mount_pt__pack
-    (ProtobufCAllocator * allocator, size_t len, const uint8_t * data);
+                     (const Nsjail__MountPt   *message,
-void nsjail__mount_pt__free_unpacked(Nsjail__MountPt * message, ProtobufCAllocator * allocator);
+                      uint8_t             *out);
 size_t nsjail__mount_pt__pack_to_buffer
                     (const Nsjail__MountPt   *message,
                      ProtobufCBuffer     *buffer);
 Nsjail__MountPt *
       nsjail__mount_pt__unpack
                     (ProtobufCAllocator  *allocator,
                      size_t               len,
                      const uint8_t       *data);
 void   nsjail__mount_pt__free_unpacked
                     (Nsjail__MountPt *message,
                      ProtobufCAllocator *allocator);
 /* Nsjail__Exe methods */
-void nsjail__exe__init(Nsjail__Exe * message);
+void   nsjail__exe__init
-size_t nsjail__exe__get_packed_size(const Nsjail__Exe * message);
+                     (Nsjail__Exe         *message);
-size_t nsjail__exe__pack(const Nsjail__Exe * message, uint8_t * out);
+size_t nsjail__exe__get_packed_size
-size_t nsjail__exe__pack_to_buffer(const Nsjail__Exe * message, ProtobufCBuffer * buffer);
+                     (const Nsjail__Exe   *message);
-Nsjail__Exe *nsjail__exe__unpack(ProtobufCAllocator * allocator, size_t len, const uint8_t * data);
+size_t nsjail__exe__pack
-void nsjail__exe__free_unpacked(Nsjail__Exe * message, ProtobufCAllocator * allocator);
+                     (const Nsjail__Exe   *message,
                      uint8_t             *out);
 size_t nsjail__exe__pack_to_buffer
                     (const Nsjail__Exe   *message,
                      ProtobufCBuffer     *buffer);
 Nsjail__Exe *
       nsjail__exe__unpack
                     (ProtobufCAllocator  *allocator,
                      size_t               len,
                      const uint8_t       *data);
 void   nsjail__exe__free_unpacked
                     (Nsjail__Exe *message,
                      ProtobufCAllocator *allocator);
 /* Nsjail__NsJailConfig methods */
-void nsjail__ns_jail_config__init(Nsjail__NsJailConfig * message);
+void   nsjail__ns_jail_config__init
-size_t nsjail__ns_jail_config__get_packed_size(const Nsjail__NsJailConfig * message);
+                     (Nsjail__NsJailConfig         *message);
-size_t nsjail__ns_jail_config__pack(const Nsjail__NsJailConfig * message, uint8_t * out);
+size_t nsjail__ns_jail_config__get_packed_size
                     (const Nsjail__NsJailConfig   *message);
 size_t nsjail__ns_jail_config__pack
                     (const Nsjail__NsJailConfig   *message,
                      uint8_t             *out);
 size_t nsjail__ns_jail_config__pack_to_buffer
-    (const Nsjail__NsJailConfig * message, ProtobufCBuffer * buffer);
+                     (const Nsjail__NsJailConfig   *message,
-Nsjail__NsJailConfig *nsjail__ns_jail_config__unpack
+                      ProtobufCBuffer     *buffer);
-    (ProtobufCAllocator * allocator, size_t len, const uint8_t * data);
+Nsjail__NsJailConfig *
-void nsjail__ns_jail_config__free_unpacked
+       nsjail__ns_jail_config__unpack
-    (Nsjail__NsJailConfig * message, ProtobufCAllocator * allocator);
+                     (ProtobufCAllocator  *allocator,
                      size_t               len,
                      const uint8_t       *data);
 void   nsjail__ns_jail_config__free_unpacked
                     (Nsjail__NsJailConfig *message,
                      ProtobufCAllocator *allocator);
 /* --- per-message closures --- */
 typedef void (*Nsjail__IdMap_Closure)
- (const Nsjail__IdMap * message, void *closure_data);
+                 (const Nsjail__IdMap *message,
                  void *closure_data);
 typedef void (*Nsjail__MountPt_Closure)
- (const Nsjail__MountPt * message, void *closure_data);
+                 (const Nsjail__MountPt *message,
                  void *closure_data);
 typedef void (*Nsjail__Exe_Closure)
- (const Nsjail__Exe * message, void *closure_data);
+                 (const Nsjail__Exe *message,
                  void *closure_data);
 typedef void (*Nsjail__NsJailConfig_Closure)
- (const Nsjail__NsJailConfig * message, void *closure_data);
+                 (const Nsjail__NsJailConfig *message,
                  void *closure_data);
 /* --- services --- */
 /* --- descriptors --- */
-extern const ProtobufCEnumDescriptor nsjail__mode__descriptor;
+extern const ProtobufCEnumDescriptor    nsjail__mode__descriptor;
-extern const ProtobufCEnumDescriptor nsjail__log_level__descriptor;
+extern const ProtobufCEnumDescriptor    nsjail__log_level__descriptor;
 extern const ProtobufCMessageDescriptor nsjail__id_map__descriptor;
 extern const ProtobufCMessageDescriptor nsjail__mount_pt__descriptor;
 extern const ProtobufCMessageDescriptor nsjail__exe__descriptor;
 extern const ProtobufCMessageDescriptor nsjail__ns_jail_config__descriptor;
 PROTOBUF_C__END_DECLS
-#endif				/* PROTOBUF_C_config_2eproto__INCLUDED */
+
 #endif  /* PROTOBUF_C_config_2eproto__INCLUDED */
--- a/config.proto
+++ b/config.proto
@ -42,8 +42,8 @@ message MountPt
    required string options = 6 [ default = "" ];
    /* Is it 'mount --bind src dst' type of mount */
    required bool is_bind = 7 [ default = false ];
-    /* It it RO mount */
+    /* It it R/W mount */
-    required bool is_ro = 8 [ default = false ];
+    required bool rw = 8 [ default = false ];
    /* Is it directory? If not specified an internal
       heuristics will be used to determine that */
    optional bool is_dir = 9;
--- a/configs/bash-with-fake-geteuid.cfg
+++ b/configs/bash-with-fake-geteuid.cfg
@ -70,35 +70,35 @@ mount {
 	src: "/lib"
 	dst: "/lib"
 	is_bind: true
-	is_ro: true
+	rw: false
 }
 mount {
 	src: "/bin"
 	dst: "/bin"
 	is_bind: true
-	is_ro: true
+	rw: false
 }
 mount {
 	src: "/sbin"
 	dst: "/sbin"
 	is_bind: true
-	is_ro: true
+	rw: false
 }
 mount {
 	src: "/usr"
 	dst: "/usr"
 	is_bind: true
-	is_ro: true
+	rw: false
 }
 mount {
 	src: "/lib64"
 	dst: "/lib64"
 	is_bind: true
-	is_ro: true
+	rw: false
 	mandatory: false
 }
@ -106,14 +106,14 @@ mount {
 	src: "/lib32"
 	dst: "/lib32"
 	is_bind: true
-	is_ro: true
+	rw: false
 	mandatory: false
 }
 mount {
 	dst: "/tmp"
 	fstype: "tmpfs"
-	is_ro: false
+	rw: true
 	is_bind: false
 }
@ -121,21 +121,21 @@ mount {
 	dst: "/dev"
 	fstype: "tmpfs"
 	options: "size=8388608"
-	is_ro: false
+	rw: true
 	is_bind: false
 }
 mount {
 	src: "/dev/null"
 	dst: "/dev/null"
-	is_ro: false
+	rw: true
 	is_bind: true
 }
 mount {
 	dst: "/proc"
 	fstype: "proc"
-	is_ro: true
+	rw: false
 }
 mount {
--- a/configs/firefox-with-net.cfg
+++ b/configs/firefox-with-net.cfg
@ -83,7 +83,7 @@ mount {
 	src: "/dev/urandom"
 	dst: "/dev/urandom"
 	is_bind: true
-	is_ro: false
+	rw: true
 }
 mount {
@ -103,21 +103,21 @@ mount {
 mount {
 	dst: "/tmp"
 	fstype: "tmpfs"
-	is_ro: false
+	rw: true
 	is_bind: false
 }
 mount {
 	dst: "/user"
 	fstype: "tmpfs"
-	is_ro: false
+	rw: true
 }
 mount {
 	prefix_src_env: "HOME"
 	src: "/Documents"
 	dst: "/user/Documents"
-	is_ro: false
+	rw: true
 	is_bind: true
 	mandatory: false
 }
@ -127,20 +127,19 @@ mount {
 	src: "/.mozilla"
 	dst: "/user/.mozilla"
 	is_bind: true
-	is_ro: false
+	rw: true
 	mandatory: false
 }
 mount {
 	dst: "/user/.cache"
 	fstype: "tmpfs"
-	is_ro: false
+	rw: true
 }
 mount {
 	src: "/tmp/.X11-unix/X0"
 	dst: "/tmp/.X11-unix/X0"
 	is_ro: false
 	is_bind: true
 }
--- a/configs/home-documents-with-xorg-no-net.cfg
+++ b/configs/home-documents-with-xorg-no-net.cfg
@ -64,13 +64,13 @@ mount {
 mount {
 	dst: "/tmp"
 	fstype: "tmpfs"
-	is_ro: false
+	rw: true
 }
 mount {
 	dst: "/user"
 	fstype: "tmpfs"
-	is_ro: false
+	rw: true
 }
 mount {
@ -83,7 +83,6 @@ mount {
 mount {
 	src: "/tmp/.X11-unix/X0"
 	dst: "/tmp/.X11-unix/X0"
 	is_ro: false
 	is_bind: true
 }