...

Source file src/github.com/Microsoft/hcsshim/pkg/securitypolicy/opts.go

Documentation: github.com/Microsoft/hcsshim/pkg/securitypolicy 

     1  package securitypolicy
     2  
     3  type ContainerConfigOpt func(config *ContainerConfig) error
     4  
     5  type PolicyConfigOpt func(config *PolicyConfig) error
     6  
     7  // WithEnvVarRules adds environment variable constraints to container policy config.
     8  func WithEnvVarRules(envs []EnvRuleConfig) ContainerConfigOpt {
     9  	return func(c *ContainerConfig) error {
    10  		c.EnvRules = append(c.EnvRules, envs...)
    11  		return nil
    12  	}
    13  }
    14  
    15  // WithWorkingDir sets working directory in container policy config.
    16  func WithWorkingDir(wd string) ContainerConfigOpt {
    17  	return func(c *ContainerConfig) error {
    18  		c.WorkingDir = wd
    19  		return nil
    20  	}
    21  }
    22  
    23  // WithMountConstraints extends ContainerConfig.Mounts with provided mount
    24  // constraints.
    25  func WithMountConstraints(mc []MountConfig) ContainerConfigOpt {
    26  	return func(c *ContainerConfig) error {
    27  		c.Mounts = append(c.Mounts, mc...)
    28  		return nil
    29  	}
    30  }
    31  
    32  // WithAllowElevated allows container to run in an elevated/privileged mode.
    33  func WithAllowElevated(elevated bool) ContainerConfigOpt {
    34  	return func(c *ContainerConfig) error {
    35  		c.AllowElevated = elevated
    36  		return nil
    37  	}
    38  }
    39  
    40  // WithCommand sets ContainerConfig.Command in container policy config.
    41  func WithCommand(cmd []string) ContainerConfigOpt {
    42  	return func(c *ContainerConfig) error {
    43  		c.Command = cmd
    44  		return nil
    45  	}
    46  }
    47  
    48  // WithAllowStdioAccess enables or disables container init process stdio.
    49  func WithAllowStdioAccess(stdio bool) ContainerConfigOpt {
    50  	return func(c *ContainerConfig) error {
    51  		c.AllowStdioAccess = stdio
    52  		return nil
    53  	}
    54  }
    55  
    56  // WithExecProcesses allows specified exec processes.
    57  func WithExecProcesses(execs []ExecProcessConfig) ContainerConfigOpt {
    58  	return func(c *ContainerConfig) error {
    59  		c.ExecProcesses = append(c.ExecProcesses, execs...)
    60  		return nil
    61  	}
    62  }
    63  
    64  // WithAllowPrivilegeEscalation allows escalating of privileges by clearing the NoNewPrivileges flag
    65  func WithAllowPrivilegeEscalation(allow bool) ContainerConfigOpt {
    66  	return func(c *ContainerConfig) error {
    67  		c.AllowPrivilegeEscalation = allow
    68  		return nil
    69  	}
    70  }
    71  
    72  // WithUser sets user in container policy config.
    73  func WithUser(user UserConfig) ContainerConfigOpt {
    74  	return func(c *ContainerConfig) error {
    75  		c.User = &user
    76  		return nil
    77  	}
    78  }
    79  
    80  // WithCapabilities sets capabilities in container policy config.
    81  func WithCapabilities(capabilities *CapabilitiesConfig) ContainerConfigOpt {
    82  	return func(c *ContainerConfig) error {
    83  		c.Capabilities = capabilities
    84  		return nil
    85  	}
    86  }
    87  
    88  // WithSeccompProfilePath sets seccomp profile path in container policy config.
    89  func WithSeccompProfilePath(path string) ContainerConfigOpt {
    90  	return func(c *ContainerConfig) error {
    91  		c.SeccompProfilePath = path
    92  		return nil
    93  	}
    94  }
    95  
    96  // WithContainers adds containers to security policy.
    97  func WithContainers(containers []ContainerConfig) PolicyConfigOpt {
    98  	return func(config *PolicyConfig) error {
    99  		config.Containers = append(config.Containers, containers...)
   100  		return nil
   101  	}
   102  }
   103  
   104  func WithAllowUnencryptedScratch(allow bool) PolicyConfigOpt {
   105  	return func(config *PolicyConfig) error {
   106  		config.AllowUnencryptedScratch = allow
   107  		return nil
   108  	}
   109  }
   110  
   111  func WithAllowEnvVarDropping(allow bool) PolicyConfigOpt {
   112  	return func(config *PolicyConfig) error {
   113  		config.AllowEnvironmentVariableDropping = allow
   114  		return nil
   115  	}
   116  }
   117  
   118  func WithAllowCapabilityDropping(allow bool) PolicyConfigOpt {
   119  	return func(config *PolicyConfig) error {
   120  		config.AllowCapabilityDropping = allow
   121  		return nil
   122  	}
   123  }
   124  
   125  func WithAllowRuntimeLogging(allow bool) PolicyConfigOpt {
   126  	return func(config *PolicyConfig) error {
   127  		config.AllowRuntimeLogging = allow
   128  		return nil
   129  	}
   130  }
   131  
   132  func WithExternalProcesses(processes []ExternalProcessConfig) PolicyConfigOpt {
   133  	return func(config *PolicyConfig) error {
   134  		config.ExternalProcesses = append(config.ExternalProcesses, processes...)
   135  		return nil
   136  	}
   137  }
   138  
   139  func WithAllowPropertiesAccess(allow bool) PolicyConfigOpt {
   140  	return func(config *PolicyConfig) error {
   141  		config.AllowPropertiesAccess = allow
   142  		return nil
   143  	}
   144  }
   145  
   146  func WithAllowDumpStacks(allow bool) PolicyConfigOpt {
   147  	return func(config *PolicyConfig) error {
   148  		config.AllowDumpStacks = allow
   149  		return nil
   150  	}
   151  }
   152  

View as plain text