github.com/criyle/go-sandbox@v0.10.3/pkg/forkexec/consts_linux.go (about)

     1  package forkexec
     2  
     3  import (
     4  	"golang.org/x/sys/unix"
     5  )
     6  
     7  // defines missing consts from syscall package
     8  const (
     9  	SECCOMP_SET_MODE_STRICT   = 0
    10  	SECCOMP_SET_MODE_FILTER   = 1
    11  	SECCOMP_FILTER_FLAG_TSYNC = 1
    12  
    13  	// Unshare flags
    14  	UnshareFlags = unix.CLONE_NEWIPC | unix.CLONE_NEWNET | unix.CLONE_NEWNS |
    15  		unix.CLONE_NEWPID | unix.CLONE_NEWUSER | unix.CLONE_NEWUTS | unix.CLONE_NEWCGROUP
    16  
    17  	// Read-only bind mount need to be remounted
    18  	bindRo = unix.MS_BIND | unix.MS_RDONLY
    19  )
    20  
    21  // used by unshare remount / to private
    22  var (
    23  	none  = []byte("none\000")
    24  	slash = []byte("/\000")
    25  	empty = []byte("\000")
    26  	tmpfs = []byte("tmpfs\000")
    27  
    28  	// tmp dir made by pivot_root
    29  	oldRoot = []byte("old_root\000")
    30  
    31  	// set groups for unshare user
    32  	setGIDAllow = []byte("allow")
    33  	setGIDDeny  = []byte("deny")
    34  
    35  	// go does not allow constant uintptr to be negative...
    36  	_AT_FDCWD = unix.AT_FDCWD
    37  
    38  	// Drop all capabilities
    39  	dropCapHeader = unix.CapUserHeader{
    40  		Version: unix.LINUX_CAPABILITY_VERSION_3,
    41  		Pid:     0,
    42  	}
    43  
    44  	dropCapData = unix.CapUserData{
    45  		Effective:   0,
    46  		Permitted:   0,
    47  		Inheritable: 0,
    48  	}
    49  
    50  	// 1ms
    51  	etxtbsyRetryInterval = unix.Timespec{
    52  		Nsec: 1 * 1000 * 1000,
    53  	}
    54  )
    55  
    56  const (
    57  	_SECURE_NOROOT = 1 << iota
    58  	_SECURE_NOROOT_LOCKED
    59  
    60  	_SECURE_NO_SETUID_FIXUP
    61  	_SECURE_NO_SETUID_FIXUP_LOCKED
    62  
    63  	_SECURE_KEEP_CAPS
    64  	_SECURE_KEEP_CAPS_LOCKED
    65  
    66  	_SECURE_NO_CAP_AMBIENT_RAISE
    67  	_SECURE_NO_CAP_AMBIENT_RAISE_LOCKED
    68  )