syntax = "proto2";

package nsjail;

enum Mode {
    LISTEN = 0; /* Listening on a TCP port */
    ONCE = 1; /* Running the command once only */
    RERUN = 2; /* Re-executing the command (forever) */
    EXECVE = 3; /* Executing command w/o the supervisor */
}
/* Should be self explanatory */
enum LogLevel {
    DEBUG = 0; /* Equivalent to the '-v' cmd-line option */
    INFO = 1; /* Default level */
    WARNING = 2; /* Equivalent to the '-q' cmd-line option */
    ERROR = 3;
    FATAL = 4;
}
message IdMap
{
    /* Empty string means "current uid/gid" */
    required string inside_id = 1 [ default = "" ];
    required string outside_id = 2 [ default = "" ];
    /* See 'man user_namespaces' for the meaning of count */
    required uint32 count = 3 [ default = 1 ];
    /* Does this map use /usr/bin/new[u|g]idmap binary? */
    required bool use_newidmap = 4 [ default = false ];
}
message MountPt
{
    /* Can be skipped for filesystems like 'proc' */
    optional string src = 1;
    required string dst = 2;
    /* Can be empty for mount --bind mounts */
    optional string fstype = 3 [ default = "" ];
    /* E.g. size=5000000 for 'tmpfs' */
    required string options = 4 [ default = "" ];
    /* Is it 'mount --bind src dst' type of mount */
    required bool is_bind = 5 [ default = false ];
    /* It it RO mount */
    required bool is_ro = 6 [ default = false ];
    /* Is it directory? If not specified an internal
       heuristics will be used to determine that */
    optional bool is_dir = 7;
    /* Should the sandboxing fail if we cannot mount this resource? */
    required bool mandatory = 8 [ default = true ];
}
message Exe
{
    /* Will be used both as execv's path and as argv[0] */
    required string path = 1;
    /* This will be argv[1] and so on.. */
    repeated string arg = 2;
}
message NsJailConfig
{
	/* Optional name and description for this config */
	optional string name = 1 [ default = "" ];
	optional string description = 2 [ default = "" ];

    /* Execution mode: see 'msg Mode' description for more */
    required Mode mode = 3 [ default = ONCE ];
    /* Equivalent to a bind mount with dst='/' */
    optional string chroot_dir = 4;
    /* Applies both to the chroot_dir and to /proc mounts */
    required bool is_root_rw = 5 [ default = false ];
    /* Hostname inside jail */
    required string hostname = 8 [ default = "NSJAIL" ];
    /* Initial current working directory for the binary */
    required string cwd = 9 [ default = "/" ];

    /* TCP port to listen to. Valid with mode=LISTEN only */
    required uint32 port = 10 [ default = 0 ];
    /* Host to bind to for mode=LISTEN. Must be in IPv6 format */
    required string bindhost = 11 [ default = "::" ];
    /* For mode=LISTEN, maximum number of connections from a single IP */
    required uint32 max_conns_per_ip = 12 [ default = 0 ];

    /* Wall-time time limit for commands */
    required uint32 time_limit = 13 [ default = 600 ];
    /* Should nsjail go into background? */
    required bool daemon = 14 [ default = false ];

    /* File to save lofs to */
    optional string log_file = 15;
    /* Minimum log level displayed.
       See 'msg LogLevel' description for more */
    optional LogLevel log_level = 16;

    /* Should the current environment variables be kept
       when executing the binary */
    required bool keep_env = 17 [ default = false ];
    /* EnvVars to be set before executing binaries */
    repeated string envar = 18;

    /* Should nsjail close FD=0,1,2 before executing the process */
    required bool silent = 19 [ default = false ];
    /* Should the child process have control over terminal?
       Can be useful to allow /bin/sh to provide
       job control / signals */
    required bool skip_setsid = 20 [ default = false ];
    /* Which FDs should be passed to the newly executed process
       By default only FD=0,1,2 are passed */
    repeated int32 pass_fd = 21;
    /* Should pivot_root be used instead of chroot?
       Using pivot_root allows to have subnamespaces */
    required bool pivot_root_only = 22 [ default = false ];
    /* Setting it to true will allow to have set-uid binaries
       inside the jail */
    required bool disable_no_new_privs = 23 [ default = false ];

    required uint64 rlimit_as = 24 [ default = 512 ]; /* In MiB */
    required uint64 rlimit_core = 25 [ default = 0 ]; /* In MiB */
    required uint64 rlimit_cpu = 26 [ default = 600 ]; /* In seconds */
    required uint64 rlimit_fsize = 27 [ default = 1 ]; /* In MiB */
    required uint64 rlimit_nofile = 28 [ default = 32 ];
    optional uint64 rlimit_nproc = 29; /* This is system-wide: tricky to use */
    optional uint64 rlimit_stack = 30; /* In MiB */

    /* See 'man personality' for more */
    required bool persona_addr_compat_layout = 31 [ default = false ];
    required bool persona_mmap_page_zero = 32 [ default = false ];
    required bool persona_read_implies_exec = 33 [ default = false ];
    required bool persona_addr_limit_3gb = 34 [ default = false ];
    required bool persona_addr_no_randomize = 35 [ default = false ];

    /* Which name-spaces should be used? */
    required bool clone_newnet = 36 [ default = true ];
    required bool clone_newuser = 37 [ default = true ];
    required bool clone_newns = 38 [ default = true ];
    required bool clone_newpid = 39 [ default = true ];
    required bool clone_newipc = 40 [ default = true ];
    required bool clone_newuts = 41 [ default = true ];
    /* It's only supported in newer kernels, hence disabled by default */
    required bool clone_newcgroup = 42 [ default = false ];

    /* Mappings for UIDs and GIDs. See the description for 'msg IdMap'
       for more */
    repeated IdMap uidmap = 43;
    repeated IdMap gidmap = 44;

    /* Should /proc be mounted (R/O)? This can also be added in the 'mount'
       section below */
    required bool mount_proc = 45 [ default = false ];
    /* Mount points inside the jail. See the description for 'msg MountPt'
       for more */
    repeated MountPt mount = 46;

    /* Kafel seccomp-bpf policy file or a string:
       Homepage of the project: https://github.com/google/kafel */
    optional string seccomp_policy_file = 47;
    optional string seccomp_string = 48;

    /* If > 0, maximum cumulative size of RAM used inside any jail */
    required uint64 cgroup_mem_max = 49 [ default = 0 ]; /* In MiB */
    /* Mount point for cgroups-memory in your system */
    required string cgroup_mem_mount = 50 [ default = "/sys/fs/cgroup/memory" ];
    /* Writeable directory (for the nsjail user) under cgroup_mem_mount */
    required string cgroup_mem_parent = 51 [ default = "NSJAIL" ];

    /* If > 0, maximum number of PIDs (threads/processes) inside jail */
    required uint64 cgroup_pids_max = 52 [ default = 0 ];
    /* Mount point for cgroups-pids in your system */
    required string cgroup_pids_mount = 53 [ default = "/sys/fs/cgroup/pids" ];
    /* Writeable directory (for the nsjail user) under cgroup_pids_mount */
    required string cgroup_pids_parent = 54 [ default = "NSJAIL" ];

    /* Should the 'lo' interface be brought up (active) inside this jail? */
    required bool iface_no_lo = 55 [ default = false ];

    /* Parameters for the cloned MACVLAN interface inside jail */
    optional string macvlan_iface = 56; /* Interface to be cloned, eg 'eth0' */
    required string macvlan_vs_ip = 57 [ default = "192.168.0.2" ];
    required string macvlan_vs_nm = 58 [ default = "255.255.255.0" ];
    required string macvlan_vs_gw = 59 [ default = "192.168.0.1" ];

    /* Binary path (with arguments) to be executed. If not specified here, it
       can be specified with cmd-line as "-- /path/to/command arg1 arg2" */
    optional Exe exec_bin = 60;
}