1*ec63e07aSXin Li// Copyright 2019 Google LLC 2*ec63e07aSXin Li// 3*ec63e07aSXin Li// Licensed under the Apache License, Version 2.0 (the "License"); 4*ec63e07aSXin Li// you may not use this file except in compliance with the License. 5*ec63e07aSXin Li// You may obtain a copy of the License at 6*ec63e07aSXin Li// 7*ec63e07aSXin Li// https://www.apache.org/licenses/LICENSE-2.0 8*ec63e07aSXin Li// 9*ec63e07aSXin Li// Unless required by applicable law or agreed to in writing, software 10*ec63e07aSXin Li// distributed under the License is distributed on an "AS IS" BASIS, 11*ec63e07aSXin Li// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12*ec63e07aSXin Li// See the License for the specific language governing permissions and 13*ec63e07aSXin Li// limitations under the License. 14*ec63e07aSXin Li 15*ec63e07aSXin Li// A proto for the sandbox2::Forkserver class 16*ec63e07aSXin Li 17*ec63e07aSXin Lisyntax = "proto3"; 18*ec63e07aSXin Li 19*ec63e07aSXin Lipackage sandbox2; 20*ec63e07aSXin Li 21*ec63e07aSXin Liimport "sandboxed_api/sandbox2/mount_tree.proto"; 22*ec63e07aSXin Li 23*ec63e07aSXin Lienum Mode { 24*ec63e07aSXin Li // Default value 25*ec63e07aSXin Li FORKSERVER_FORK_UNSPECIFIED = 0; 26*ec63e07aSXin Li // Fork, execve and sandbox 27*ec63e07aSXin Li FORKSERVER_FORK_EXECVE_SANDBOX = 1; 28*ec63e07aSXin Li // Fork and execve, but no sandboxing 29*ec63e07aSXin Li FORKSERVER_FORK_EXECVE = 2; 30*ec63e07aSXin Li // Just fork 31*ec63e07aSXin Li FORKSERVER_FORK = 3; 32*ec63e07aSXin Li reserved 4; 33*ec63e07aSXin Li} 34*ec63e07aSXin Li 35*ec63e07aSXin Lienum MonitorType { 36*ec63e07aSXin Li // Default value 37*ec63e07aSXin Li FORKSERVER_MONITOR_UNSPECIFIED = 0; 38*ec63e07aSXin Li // Ptrace based monitor 39*ec63e07aSXin Li FORKSERVER_MONITOR_PTRACE = 1; 40*ec63e07aSXin Li // Seccomp_unotify based monitor 41*ec63e07aSXin Li FORKSERVER_MONITOR_UNOTIFY = 2; 42*ec63e07aSXin Li} 43*ec63e07aSXin Li 44*ec63e07aSXin Limessage ForkRequest { 45*ec63e07aSXin Li // List of arguments, starting with argv[0] 46*ec63e07aSXin Li repeated bytes args = 1; 47*ec63e07aSXin Li // List of environment variables which will be passed to the child 48*ec63e07aSXin Li repeated bytes envs = 2; 49*ec63e07aSXin Li 50*ec63e07aSXin Li // How to interpret the request 51*ec63e07aSXin Li optional Mode mode = 3; 52*ec63e07aSXin Li 53*ec63e07aSXin Li // Clone flags for the new process 54*ec63e07aSXin Li optional int32 clone_flags = 4; 55*ec63e07aSXin Li 56*ec63e07aSXin Li // Capabilities to keep when starting the sandboxee 57*ec63e07aSXin Li repeated int32 capabilities = 5; 58*ec63e07aSXin Li 59*ec63e07aSXin Li // The mount tree used for namespace initialization 60*ec63e07aSXin Li optional MountTree mount_tree = 6; 61*ec63e07aSXin Li 62*ec63e07aSXin Li // Hostname in the network namespace 63*ec63e07aSXin Li optional bytes hostname = 7; 64*ec63e07aSXin Li 65*ec63e07aSXin Li // Changes mount propagation from MS_PRIVATE to MS_SLAVE if set 66*ec63e07aSXin Li optional bool allow_mount_propagation = 8; 67*ec63e07aSXin Li 68*ec63e07aSXin Li // Monitor type used by the sandbox 69*ec63e07aSXin Li optional MonitorType monitor_type = 9; 70*ec63e07aSXin Li} 71