github.com/criyle/go-sandbox@v0.10.3/runner/ptrace/runner_linux.go

github.com/criyle/go-sandbox@v0.10.3/runner/ptrace/runner_linux.go (about)

     1  package ptrace
     2  
     3  import (
     4  	"syscall"
     5  
     6  	"github.com/criyle/go-sandbox/pkg/rlimit"
     7  	"github.com/criyle/go-sandbox/pkg/seccomp"
     8  	"github.com/criyle/go-sandbox/ptracer"
     9  	"github.com/criyle/go-sandbox/runner"
    10  )
    11  
    12  // Runner defines the spec to run a program safely by ptracer
    13  type Runner struct {
    14  	// argv and env for the child process
    15  	// work path set by setcwd (current working directory for child)
    16  	Args    []string
    17  	Env     []string
    18  	WorkDir string
    19  
    20  	// fexecve
    21  	ExecFile uintptr
    22  
    23  	// file descriptors for new process, from 0 to len - 1
    24  	Files []uintptr
    25  
    26  	// Resource limit set by set rlimit
    27  	RLimits []rlimit.RLimit
    28  
    29  	// Res limit enforced by tracer
    30  	Limit runner.Limit
    31  
    32  	// Defines seccomp filter for the ptrace runner
    33  	// file access syscalls need to set as ActionTrace
    34  	// allowed need to set as ActionAllow
    35  	// default action should be ActionTrace / ActionKill
    36  	Seccomp seccomp.Filter
    37  
    38  	// Traced syscall handler
    39  	Handler Handler
    40  
    41  	// ShowDetails / Unsafe debug flag
    42  	ShowDetails, Unsafe bool
    43  
    44  	// Use by cgroup to add proc
    45  	SyncFunc func(pid int) error
    46  }
    47  
    48  // BanRet defines the return value for a syscall ban action
    49  var BanRet = syscall.EACCES
    50  
    51  // Handler defines the action when a file access encountered
    52  type Handler interface {
    53  	CheckRead(string) ptracer.TraceAction
    54  	CheckWrite(string) ptracer.TraceAction
    55  	CheckStat(string) ptracer.TraceAction
    56  	CheckSyscall(string) ptracer.TraceAction
    57  }