181 lines
7.6 KiB
Protocol Buffer
181 lines
7.6 KiB
Protocol Buffer
syntax = "proto2";
|
|
|
|
package nsjail;
|
|
|
|
enum Mode {
|
|
LISTEN = 0; /* Listening on a TCP port */
|
|
ONCE = 1; /* Running the command once only */
|
|
RERUN = 2; /* Re-executing the command (forever) */
|
|
EXECVE = 3; /* Executing command w/o the supervisor */
|
|
}
|
|
/* Should be self explanatory */
|
|
enum LogLevel {
|
|
DEBUG = 0; /* Equivalent to the '-v' cmd-line option */
|
|
INFO = 1; /* Default level */
|
|
WARNING = 2; /* Equivalent to the '-q' cmd-line option */
|
|
ERROR = 3;
|
|
FATAL = 4;
|
|
}
|
|
message IdMap
|
|
{
|
|
/* Empty string means "current uid/gid" */
|
|
required string inside_id = 1 [ default = "" ];
|
|
required string outside_id = 2 [ default = "" ];
|
|
/* See 'man user_namespaces' for the meaning of count */
|
|
required uint32 count = 3 [ default = 1 ];
|
|
/* Does this map use /usr/bin/new[u|g]idmap binary? */
|
|
required bool use_newidmap = 4 [ default = false ];
|
|
}
|
|
message MountPt
|
|
{
|
|
/* Can be skipped for filesystems like 'proc' */
|
|
optional string src = 1;
|
|
required string dst = 2;
|
|
/* Can be empty for mount --bind mounts */
|
|
optional string fstype = 3 [ default = "" ];
|
|
/* E.g. size=5000000 for 'tmpfs' */
|
|
required string options = 4 [ default = "" ];
|
|
/* Is it 'mount --bind src dst' type of mount */
|
|
required bool is_bind = 5 [ default = false ];
|
|
/* It it RO mount */
|
|
required bool is_ro = 6 [ default = false ];
|
|
/* Is it directory? If not specified an internal
|
|
heuristics will be used to determine that */
|
|
optional bool is_dir = 7;
|
|
/* Should the sandboxing fail if we cannot mount this resource? */
|
|
required bool mandatory = 8 [ default = true ];
|
|
}
|
|
message Exe
|
|
{
|
|
/* Will be used both as execv's path and as argv[0] */
|
|
required string path = 1;
|
|
/* This will be argv[1] and so on.. */
|
|
repeated string arg = 2;
|
|
}
|
|
message NsJailConfig
|
|
{
|
|
/* Optional name and description for this config */
|
|
optional string name = 1 [ default = "" ];
|
|
optional string description = 2 [ default = "" ];
|
|
|
|
/* Execution mode: see 'msg Mode' description for more */
|
|
required Mode mode = 3 [ default = ONCE ];
|
|
/* Equivalent to a bind mount with dst='/' */
|
|
optional string chroot_dir = 4;
|
|
/* Applies both to the chroot_dir and to /proc mounts */
|
|
required bool is_root_rw = 5 [ default = false ];
|
|
/* Hostname inside jail */
|
|
required string hostname = 8 [ default = "NSJAIL" ];
|
|
/* Initial current working directory for the binary */
|
|
required string cwd = 9 [ default = "/" ];
|
|
|
|
/* TCP port to listen to. Valid with mode=LISTEN only */
|
|
required uint32 port = 10 [ default = 0 ];
|
|
/* Host to bind to for mode=LISTEN. Must be in IPv6 format */
|
|
required string bindhost = 11 [ default = "::" ];
|
|
/* For mode=LISTEN, maximum number of connections from a single IP */
|
|
required uint32 max_conns_per_ip = 12 [ default = 0 ];
|
|
|
|
/* Wall-time time limit for commands */
|
|
required uint32 time_limit = 13 [ default = 600 ];
|
|
/* Should nsjail go into background? */
|
|
required bool daemon = 14 [ default = false ];
|
|
|
|
/* File to save lofs to */
|
|
optional string log_file = 15;
|
|
/* Minimum log level displayed.
|
|
See 'msg LogLevel' description for more */
|
|
optional LogLevel log_level = 16;
|
|
|
|
/* Should the current environment variables be kept
|
|
when executing the binary */
|
|
required bool keep_env = 17 [ default = false ];
|
|
/* EnvVars to be set before executing binaries */
|
|
repeated string envar = 18;
|
|
|
|
/* Should nsjail close FD=0,1,2 before executing the process */
|
|
required bool silent = 19 [ default = false ];
|
|
/* Should the child process have control over terminal?
|
|
Can be useful to allow /bin/sh to provide
|
|
job control / signals */
|
|
required bool skip_setsid = 20 [ default = false ];
|
|
/* Which FDs should be passed to the newly executed process
|
|
By default only FD=0,1,2 are passed */
|
|
repeated int32 pass_fd = 21;
|
|
/* Should pivot_root be used instead of chroot?
|
|
Using pivot_root allows to have subnamespaces */
|
|
required bool pivot_root_only = 22 [ default = false ];
|
|
/* Setting it to true will allow to have set-uid binaries
|
|
inside the jail */
|
|
required bool disable_no_new_privs = 23 [ default = false ];
|
|
|
|
required uint64 rlimit_as = 24 [ default = 512 ]; /* In MiB */
|
|
required uint64 rlimit_core = 25 [ default = 0 ]; /* In MiB */
|
|
required uint64 rlimit_cpu = 26 [ default = 600 ]; /* In seconds */
|
|
required uint64 rlimit_fsize = 27 [ default = 1 ]; /* In MiB */
|
|
required uint64 rlimit_nofile = 28 [ default = 32 ];
|
|
optional uint64 rlimit_nproc = 29; /* This is system-wide: tricky to use */
|
|
optional uint64 rlimit_stack = 30; /* In MiB */
|
|
|
|
/* See 'man personality' for more */
|
|
required bool persona_addr_compat_layout = 31 [ default = false ];
|
|
required bool persona_mmap_page_zero = 32 [ default = false ];
|
|
required bool persona_read_implies_exec = 33 [ default = false ];
|
|
required bool persona_addr_limit_3gb = 34 [ default = false ];
|
|
required bool persona_addr_no_randomize = 35 [ default = false ];
|
|
|
|
/* Which name-spaces should be used? */
|
|
required bool clone_newnet = 36 [ default = true ];
|
|
required bool clone_newuser = 37 [ default = true ];
|
|
required bool clone_newns = 38 [ default = true ];
|
|
required bool clone_newpid = 39 [ default = true ];
|
|
required bool clone_newipc = 40 [ default = true ];
|
|
required bool clone_newuts = 41 [ default = true ];
|
|
/* It's only supported in newer kernels, hence disabled by default */
|
|
required bool clone_newcgroup = 42 [ default = false ];
|
|
|
|
/* Mappings for UIDs and GIDs. See the description for 'msg IdMap'
|
|
for more */
|
|
repeated IdMap uidmap = 43;
|
|
repeated IdMap gidmap = 44;
|
|
|
|
/* Should /proc be mounted (R/O)? This can also be added in the 'mount'
|
|
section below */
|
|
required bool mount_proc = 45 [ default = false ];
|
|
/* Mount points inside the jail. See the description for 'msg MountPt'
|
|
for more */
|
|
repeated MountPt mount = 46;
|
|
|
|
/* Kafel seccomp-bpf policy file or a string:
|
|
Homepage of the project: https://github.com/google/kafel */
|
|
optional string seccomp_policy_file = 47;
|
|
optional string seccomp_string = 48;
|
|
|
|
/* If > 0, maximum cumulative size of RAM used inside any jail */
|
|
required uint64 cgroup_mem_max = 49 [ default = 0 ]; /* In MiB */
|
|
/* Mount point for cgroups-memory in your system */
|
|
required string cgroup_mem_mount = 50 [ default = "/sys/fs/cgroup/memory" ];
|
|
/* Writeable directory (for the nsjail user) under cgroup_mem_mount */
|
|
required string cgroup_mem_parent = 51 [ default = "NSJAIL" ];
|
|
|
|
/* If > 0, maximum number of PIDs (threads/processes) inside jail */
|
|
required uint64 cgroup_pids_max = 52 [ default = 0 ];
|
|
/* Mount point for cgroups-pids in your system */
|
|
required string cgroup_pids_mount = 53 [ default = "/sys/fs/cgroup/pids" ];
|
|
/* Writeable directory (for the nsjail user) under cgroup_pids_mount */
|
|
required string cgroup_pids_parent = 54 [ default = "NSJAIL" ];
|
|
|
|
/* Should the 'lo' interface be brought up (active) inside this jail? */
|
|
required bool iface_no_lo = 55 [ default = false ];
|
|
|
|
/* Parameters for the cloned MACVLAN interface inside jail */
|
|
optional string macvlan_iface = 56; /* Interface to be cloned, eg 'eth0' */
|
|
required string macvlan_vs_ip = 57 [ default = "192.168.0.2" ];
|
|
required string macvlan_vs_nm = 58 [ default = "255.255.255.0" ];
|
|
required string macvlan_vs_gw = 59 [ default = "192.168.0.1" ];
|
|
|
|
/* Binary path (with arguments) to be executed. If not specified here, it
|
|
can be specified with cmd-line as "-- /path/to/command arg1 arg2" */
|
|
optional Exe exec_bin = 60;
|
|
}
|