2020-01-17 05:05:03 -08:00
|
|
|
// Copyright 2019 Google LLC
|
2019-03-18 17:21:48 +01:00
|
|
|
//
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
//
|
2022-01-28 01:38:27 -08:00
|
|
|
// https://www.apache.org/licenses/LICENSE-2.0
|
2019-03-18 17:21:48 +01:00
|
|
|
//
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
// limitations under the License.
|
|
|
|
|
|
|
|
// A proto for the sandbox2::Forkserver class
|
|
|
|
|
2022-03-14 07:27:57 -07:00
|
|
|
syntax = "proto3";
|
2020-01-31 05:39:03 -08:00
|
|
|
|
2019-03-18 17:21:48 +01:00
|
|
|
package sandbox2;
|
|
|
|
|
2022-03-14 05:14:41 -07:00
|
|
|
import "sandboxed_api/sandbox2/mount_tree.proto";
|
2019-03-18 17:21:48 +01:00
|
|
|
|
|
|
|
enum Mode {
|
2022-03-14 07:27:57 -07:00
|
|
|
// Default value
|
|
|
|
FORKSERVER_FORK_UNSPECIFIED = 0;
|
2019-03-18 17:21:48 +01:00
|
|
|
// Fork, execve and sandbox
|
|
|
|
FORKSERVER_FORK_EXECVE_SANDBOX = 1;
|
|
|
|
// Fork and execve, but no sandboxing
|
|
|
|
FORKSERVER_FORK_EXECVE = 2;
|
|
|
|
// Just fork
|
|
|
|
FORKSERVER_FORK = 3;
|
|
|
|
// Special internal case: join a user namespace prior to unwinding
|
|
|
|
FORKSERVER_FORK_JOIN_SANDBOX_UNWIND = 4;
|
|
|
|
}
|
|
|
|
|
2023-03-08 08:08:35 -08:00
|
|
|
enum MonitorType {
|
|
|
|
// Default value
|
|
|
|
FORKSERVER_MONITOR_UNSPECIFIED = 0;
|
|
|
|
// Ptrace based monitor
|
|
|
|
FORKSERVER_MONITOR_PTRACE = 1;
|
|
|
|
// Seccomp_unotify based monitor
|
|
|
|
FORKSERVER_MONITOR_UNOTIFY = 2;
|
|
|
|
}
|
|
|
|
|
2019-03-18 17:21:48 +01:00
|
|
|
message ForkRequest {
|
|
|
|
// List of arguments, starting with argv[0]
|
|
|
|
repeated bytes args = 1;
|
|
|
|
// List of environment variables which will be passed to the child
|
|
|
|
repeated bytes envs = 2;
|
|
|
|
|
|
|
|
// How to interpret the request
|
2022-03-14 07:27:57 -07:00
|
|
|
optional Mode mode = 3;
|
2019-03-18 17:21:48 +01:00
|
|
|
|
|
|
|
// Clone flags for the new process
|
2022-03-14 07:27:57 -07:00
|
|
|
optional int32 clone_flags = 4;
|
2019-03-18 17:21:48 +01:00
|
|
|
|
|
|
|
// Capabilities to keep when starting the sandboxee
|
|
|
|
repeated int32 capabilities = 5;
|
|
|
|
|
|
|
|
// The mount tree used for namespace initialization
|
|
|
|
optional MountTree mount_tree = 6;
|
|
|
|
|
|
|
|
// Hostname in the network namespace
|
|
|
|
optional bytes hostname = 7;
|
2022-03-08 08:00:46 -08:00
|
|
|
|
|
|
|
// Changes mount propagation from MS_PRIVATE to MS_SLAVE if set
|
|
|
|
optional bool allow_mount_propagation = 8;
|
2023-03-08 08:08:35 -08:00
|
|
|
|
|
|
|
// Monitor type used by the sandbox
|
|
|
|
optional MonitorType monitor_type = 9;
|
2019-03-18 17:21:48 +01:00
|
|
|
}
|