github.com/criyle/go-sandbox@v0.10.3/pkg/forkexec/consts_linux.go (about) 1 package forkexec 2 3 import ( 4 "golang.org/x/sys/unix" 5 ) 6 7 // defines missing consts from syscall package 8 const ( 9 SECCOMP_SET_MODE_STRICT = 0 10 SECCOMP_SET_MODE_FILTER = 1 11 SECCOMP_FILTER_FLAG_TSYNC = 1 12 13 // Unshare flags 14 UnshareFlags = unix.CLONE_NEWIPC | unix.CLONE_NEWNET | unix.CLONE_NEWNS | 15 unix.CLONE_NEWPID | unix.CLONE_NEWUSER | unix.CLONE_NEWUTS | unix.CLONE_NEWCGROUP 16 17 // Read-only bind mount need to be remounted 18 bindRo = unix.MS_BIND | unix.MS_RDONLY 19 ) 20 21 // used by unshare remount / to private 22 var ( 23 none = []byte("none\000") 24 slash = []byte("/\000") 25 empty = []byte("\000") 26 tmpfs = []byte("tmpfs\000") 27 28 // tmp dir made by pivot_root 29 oldRoot = []byte("old_root\000") 30 31 // set groups for unshare user 32 setGIDAllow = []byte("allow") 33 setGIDDeny = []byte("deny") 34 35 // go does not allow constant uintptr to be negative... 36 _AT_FDCWD = unix.AT_FDCWD 37 38 // Drop all capabilities 39 dropCapHeader = unix.CapUserHeader{ 40 Version: unix.LINUX_CAPABILITY_VERSION_3, 41 Pid: 0, 42 } 43 44 dropCapData = unix.CapUserData{ 45 Effective: 0, 46 Permitted: 0, 47 Inheritable: 0, 48 } 49 50 // 1ms 51 etxtbsyRetryInterval = unix.Timespec{ 52 Nsec: 1 * 1000 * 1000, 53 } 54 ) 55 56 const ( 57 _SECURE_NOROOT = 1 << iota 58 _SECURE_NOROOT_LOCKED 59 60 _SECURE_NO_SETUID_FIXUP 61 _SECURE_NO_SETUID_FIXUP_LOCKED 62 63 _SECURE_KEEP_CAPS 64 _SECURE_KEEP_CAPS_LOCKED 65 66 _SECURE_NO_CAP_AMBIENT_RAISE 67 _SECURE_NO_CAP_AMBIENT_RAISE_LOCKED 68 )