package sandbox2

Get desktop application:
View/edit binary Protocol Buffers messages

• repeated string value = 1

• repeated bytes args = 1

  List of arguments, starting with argv[0]

• repeated bytes envs = 2

  List of environment variables which will be passed to the child

• optional Mode mode = 3

  How to interpret the request

• optional int32 clone_flags = 4

  Clone flags for the new process

• optional MountTree mount_tree = 6

  The mount tree used for namespace initialization

• optional bytes hostname = 7

  Hostname in the network namespace

• optional bool allow_mount_propagation = 8

  Changes mount propagation from MS_PRIVATE to MS_SLAVE if set

• optional MonitorType monitor_type = 9

  Monitor type used by the sandbox

• optional bool allow_speculation = 10

  Whether to allow speculative execution inside the sandboxee

• optional NetNsMode netns_mode = 11

  Net namespace mode

• optional int32 severity = 1

• optional string path = 2

• optional int32 line = 3

• optional bytes message = 4

• optional int32 pid = 5

Used in: ForkRequest

• FORKSERVER_FORK_UNSPECIFIED = 0

  Default value

• FORKSERVER_FORK_EXECVE_SANDBOX = 1

  Fork, execve and sandbox

• FORKSERVER_FORK_EXECVE = 2

  Fork and execve, but no sandboxing

• FORKSERVER_FORK = 3

  Just fork

Used in: ForkRequest

• FORKSERVER_MONITOR_UNSPECIFIED = 0

  Default value

• FORKSERVER_MONITOR_PTRACE = 1

  Ptrace based monitor

• FORKSERVER_MONITOR_UNOTIFY = 2

  Seccomp_unotify based monitor

The MountTree maps path components to mount operations (bind/tmpfs). The path is encoded in the key of the entries map, with the root node representing /. To get the full path of a node, you will need to assemble the keys starting at the root node.

Used in: ForkRequest

• map<string, MountTree> entries = 1

  The entries are mappings from the next path component to the subtree.

• optional MountTree.Node node = 2

  The node of the current path. If not set, we'll just create a directory at this position.

• int64 index = 3

  Helps to keep a stable and deterministic order of mounts. Protobuf makes no guarantees about the order of map entries and may even randomize in certain build configurations.

DirNode is like FileNode but for directories.

Used in: Node

• string outside = 2

• bool writable = 3

FileNode represents a bind mount for a regular file using "outside" as the source.

Used in: Node

• string outside = 2

• bool writable = 3

Used in: MountTree

• oneof node

  • FileNode file_node = 1

  • DirNode dir_node = 2

  • TmpfsNode tmpfs_node = 3

  • RootNode root_node = 4

RootNode is as special node for root of the MountTree

Used in: Node

• bool writable = 3

TmpfsNode mounts a tmpfs with given options.

Used in: Node

• string tmpfs_options = 1

Enum representing the net_ns mode, used by policybuilder, forkserver, and executor.

Used in: ForkRequest

• NETNS_MODE_UNSPECIFIED = 0

• NETNS_MODE_PER_SANDBOXEE = 1

  Create a new netns for each sandbox (default).

• NETNS_MODE_NONE = 2

  Do not create a netns. This will disable the network namespace isolation from the host and expose its network interfaces to the sandboxee (generally granting internet access). Networking syscalls must be allowed in the policy in order to use the network.

• NETNS_MODE_SHARED_PER_FORKSERVER = 3

  Create a netns shared by all sandboxees started by a forkserver.

• repeated string stacktrace = 1

  Readable stacktrace, symbolized, one frame per line

• uint64 pid = 1

  Process ID of the process to unwind. Required.

• bytes regs = 2

  Register content for the process to unwind

• uint64 default_max_frames = 3

  Optional Maximum number of stack frames to unwind