sandbox

package

v3.1.3 Latest Latest Go to latest Published: Jan 30, 2026 License: MIT Imports: 9 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/BlackVectorOps/semantic_firewall

Links

Open Source Insights

Documentation ¶

Overview ¶

-- internal/sandbox/manager.go --

-- internal/sandbox/types.go --

Index ¶

Constants
func IsSandboxed() bool
func Run(ctx context.Context, cfg Config, stdout, stderr io.Writer) error
type CPU
type Capabilities
type Config
type IDMapping
type Linux
type Memory
type Mount
type Namespace
type Pids
type Process
type Resources
type Rlimit
type Root
type Spec
type User

Constants ¶

View Source

const (
	// Security Directives
	MemLimitBytes = 512 * 1024 * 1024 // 512MB
	CPUShares     = 1024
	PidsMax       = 64
	EnvSandboxID  = "SFW_SANDBOX_ID"
	RuntimeBinary = "runsc"
)

Variables ¶

This section is empty.

Functions ¶

func IsSandboxed ¶

func IsSandboxed() bool

Checks if the current process is already running inside the sandbox.

func Run ¶

func Run(ctx context.Context, cfg Config, stdout, stderr io.Writer) error

Run executes the current binary (self) inside a gVisor sandbox.

Types ¶

type CPU ¶

type CPU struct {
	Shares uint64 `json:"shares"`
}

type Capabilities ¶

type Capabilities struct {
	Bounding    []string `json:"bounding"`
	Effective   []string `json:"effective"`
	Inheritable []string `json:"inheritable"`
	Permitted   []string `json:"permitted"`
	Ambient     []string `json:"ambient"`
}

type Config ¶

type Config struct {
	Args    []string // Arguments for the internal worker
	Mounts  []string // List of host paths to bind mount (read only)
	WorkDir string   // Working directory inside the sandbox
}

Config defines the execution parameters for the sandboxed process.

type IDMapping ¶

type IDMapping struct {
	ContainerID int `json:"containerID"`
	HostID      int `json:"hostID"`
	Size        int `json:"size"`
}

type Linux ¶

type Linux struct {
	Namespaces  []Namespace `json:"namespaces"`
	UIDMappings []IDMapping `json:"uidMappings"`
	GIDMappings []IDMapping `json:"gidMappings"`
	Resources   *Resources  `json:"resources"`
}

type Memory ¶

type Memory struct {
	Limit int64 `json:"limit"`
}

type Mount ¶

type Mount struct {
	Destination string   `json:"destination"`
	Type        string   `json:"type"`
	Source      string   `json:"source"`
	Options     []string `json:"options"`
}

type Namespace ¶

type Namespace struct {
	Type string `json:"type"`
}

type Pids ¶

type Pids struct {
	Limit int64 `json:"limit"`
}

type Process ¶

type Process struct {
	User            User          `json:"user"`
	Args            []string      `json:"args"`
	Env             []string      `json:"env"`
	Cwd             string        `json:"cwd"`
	Capabilities    *Capabilities `json:"capabilities"`
	Rlimits         []Rlimit      `json:"rlimits"`
	NoNewPrivileges bool          `json:"noNewPrivileges"`
}

type Resources ¶

type Resources struct {
	Memory *Memory `json:"memory"`
	CPU    *CPU    `json:"cpu"`
	Pids   *Pids   `json:"pids"`
}

type Rlimit ¶

type Rlimit struct {
	Type string `json:"type"`
	Hard uint64 `json:"hard"`
	Soft uint64 `json:"soft"`
}

type Root ¶

type Root struct {
	Path     string `json:"path"`
	Readonly bool   `json:"readonly"`
}

type Spec ¶

type Spec struct {
	Version string   `json:"ociVersion"`
	Process *Process `json:"process"`
	Root    *Root    `json:"root"`
	Mounts  []Mount  `json:"mounts"`
	Linux   *Linux   `json:"linux"`
}

type User ¶

type User struct {
	UID int `json:"uid"`
	GID int `json:"gid"`
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL