| # Copyright 2022 The Go Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style |
| # license that can be found in the LICENSE file. |
| # |
| # This file is JSON with comments. |
| # A comment is any line whose first non-whitespace character is #. |
| # A sed script in the Makefile and in deploy/worker.yaml removes |
| # the comments to produce valid JSON. |
| # |
| # This is a bundle config file for runsc, as specified by the |
| # Open Container Initiative: see |
| # https://github.com/opencontainers/runtime-spec/blob/main/config.md. |
| # Most of this file is generated by "runsc spec"; see |
| # https://gvisor.dev/docs/user_guide/quick_start/oci. |
| # The few important tweaks are commented. |
| { |
| "ociVersion": "1.0.0", |
| "process": { |
| "user": { |
| "uid": 0, |
| "gid": 0 |
| }, |
| "args": [ |
| # This is the command that "runsc run" will execute in the sandbox. |
| # See the internal/sandbox package. |
| # runsc will pipe the stdout and stderr to its caller, |
| # and will exit with the same return code. |
| "/runner" |
| ], |
| "env": [ |
| "PATH=/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", |
| "TERM=xterm" |
| ], |
| "cwd": "/", |
| "capabilities": { |
| "bounding": [ |
| "CAP_AUDIT_WRITE", |
| "CAP_KILL", |
| "CAP_NET_BIND_SERVICE" |
| ], |
| "effective": [ |
| "CAP_AUDIT_WRITE", |
| "CAP_KILL", |
| "CAP_NET_BIND_SERVICE" |
| ], |
| "inheritable": [ |
| "CAP_AUDIT_WRITE", |
| "CAP_KILL", |
| "CAP_NET_BIND_SERVICE" |
| ], |
| "permitted": [ |
| "CAP_AUDIT_WRITE", |
| "CAP_KILL", |
| "CAP_NET_BIND_SERVICE" |
| ] |
| }, |
| "rlimits": [ |
| { |
| "type": "RLIMIT_NOFILE", |
| "hard": 1048576, |
| "soft": 1048576 |
| } |
| ] |
| }, |
| "root": { |
| "path": "rootfs", |
| # The filesystem must be writeable so |
| # the go command can write to its caches. |
| "readonly": false |
| }, |
| "hostname": "runsc", |
| "mounts": [ |
| { |
| "destination": "/proc", |
| "type": "proc", |
| "source": "proc" |
| }, |
| { |
| "destination": "/dev", |
| "type": "tmpfs", |
| "source": "tmpfs" |
| }, |
| { |
| "destination": "/sys", |
| "type": "sysfs", |
| "source": "sysfs", |
| "options": [ |
| "nosuid", |
| "noexec", |
| "nodev", |
| "ro" |
| ] |
| }, |
| # Bind mounts. These let us map directories inside the sandbox |
| # (the destination) to directories outside (the source). |
| # If the source doesn't exist, you'll get the (obscure) error |
| # "cannot read client sync file". |
| # If the destination already exists, that's not an error, but the |
| # files in that directory will be hidden to code running inside the |
| # sandbox. |
| { |
| # Mount /app/binaries inside the sandbox to |
| # the same directory outside. |
| "destination": "/app/binaries", |
| "type": "none", |
| "source": "/app/binaries", |
| "options": ["bind"] |
| }, |
| { |
| # Mount /app/go-vulndb inside the sandbox to |
| # the same directory outside. |
| "destination": "/app/go-vulndb", |
| "type": "none", |
| "source": "/app/go-vulndb", |
| "options": ["bind"] |
| }, |
| { |
| # Mount /tmp/modules inside the sandbox to |
| # the same directory outside. |
| "destination": "/tmp/modules", |
| "type": "none", |
| "source": "/tmp/modules", |
| "options": ["bind"] |
| } |
| ], |
| "linux": { |
| "namespaces": [ |
| { |
| "type": "pid" |
| }, |
| { |
| "type": "network" |
| }, |
| { |
| "type": "ipc" |
| }, |
| { |
| "type": "uts" |
| }, |
| { |
| "type": "mount" |
| } |
| ] |
| } |
| } |
