sandbox

package
v3.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 29, 2026 License: MIT Imports: 9 Imported by: 0

Documentation

Overview

-- internal/sandbox/types.go --

Index

Constants

View Source 
const (
	// Security Directives
	// Hard limits prevent neighbor noise and resource exhaustion attacks.
	MemLimitBytes = 512 * 1024 * 1024 // 512MB
	CPUShares     = 1024
	PidsMax       = 64 // Limits fork bombs
	EnvSandboxID  = "SFW_SANDBOX_ID"
	RuntimeBinary = "runsc"
)

Variables

This section is empty.

Functions

func IsSandboxed 

func IsSandboxed() bool

IsSandboxed checks if the current process is already running inside the sandbox. This prevents infinite recursion if the worker accidentally calls Run().

func Run 

func Run(ctx context.Context, cfg Config, stdout, stderr io.Writer) error

Run executes the current binary (self) inside a gVisor sandbox. It streams stdout and stderr directly to the provided writers to prevent memory buffering which could be exploited to crash the parent via OOM.

Types

type CPU 

type CPU struct {
	Shares uint64 `json:"shares"`
}

type Capabilities 

type Capabilities struct {
	Bounding    []string `json:"bounding"`
	Effective   []string `json:"effective"`
	Inheritable []string `json:"inheritable"`
	Permitted   []string `json:"permitted"`
	Ambient     []string `json:"ambient"`
}

type Config 

type Config struct {
	Args    []string // Arguments for the internal worker
	Mounts  []string // List of host paths to bind mount (read only)
	WorkDir string   // Working directory inside the sandbox
}

Config defines the execution parameters for the sandboxed process.

type IDMapping 

type IDMapping struct {
	ContainerID int `json:"containerID"`
	HostID      int `json:"hostID"`
	Size        int `json:"size"`
}

type Linux 

type Linux struct {
	Namespaces  []Namespace `json:"namespaces"`
	UIDMappings []IDMapping `json:"uidMappings"`
	GIDMappings []IDMapping `json:"gidMappings"`
	Resources   *Resources  `json:"resources"`
}

type Memory 

type Memory struct {
	Limit int64 `json:"limit"`
}

type Mount 

type Mount struct {
	Destination string   `json:"destination"`
	Type        string   `json:"type"`
	Source      string   `json:"source"`
	Options     []string `json:"options"`
}

type Namespace 

type Namespace struct {
	Type string `json:"type"`
}

type Pids 

type Pids struct {
	Limit int64 `json:"limit"`
}

type Process 

type Process struct {
	User            User          `json:"user"`
	Args            []string      `json:"args"`
	Env             []string      `json:"env"`
	Cwd             string        `json:"cwd"`
	Capabilities    *Capabilities `json:"capabilities"`
	Rlimits         []Rlimit      `json:"rlimits"`
	NoNewPrivileges bool          `json:"noNewPrivileges"`
}

type Resources 

type Resources struct {
	Memory *Memory `json:"memory"`
	CPU    *CPU    `json:"cpu"`
	Pids   *Pids   `json:"pids"`
}

type Rlimit 

type Rlimit struct {
	Type string `json:"type"`
	Hard uint64 `json:"hard"`
	Soft uint64 `json:"soft"`
}

type Root 

type Root struct {
	Path     string `json:"path"`
	Readonly bool   `json:"readonly"`
}

type Spec 

type Spec struct {
	Version string   `json:"ociVersion"`
	Process *Process `json:"process"`
	Root    *Root    `json:"root"`
	Mounts  []Mount  `json:"mounts"`
	Linux   *Linux   `json:"linux"`
}

type User 

type User struct {
	UID int `json:"uid"`
	GID int `json:"gid"`
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.