PyPI - nsjail-python - Versions diffs - 0.1.0__py3-none-any.whl - Mend

nsjail-python 0.1.0__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

nsjail/__init__.py +21 -0
nsjail/_field_meta.py +177 -0
nsjail/_proto/__init__.py +57 -0
nsjail/_proto/config_pb2.py +50 -0
nsjail/builder.py +151 -0
nsjail/config.py +168 -0
nsjail/enums.py +27 -0
nsjail/exceptions.py +29 -0
nsjail/presets.py +74 -0
nsjail/runner.py +274 -0
nsjail/serializers/__init__.py +26 -0
nsjail/serializers/cli.py +69 -0
nsjail/serializers/protobuf.py +22 -0
nsjail/serializers/textproto.py +91 -0
nsjail_python-0.1.0.dist-info/METADATA +141 -0
nsjail_python-0.1.0.dist-info/RECORD +18 -0
nsjail_python-0.1.0.dist-info/WHEEL +4 -0
nsjail_python-0.1.0.dist-info/licenses/LICENSE +21 -0

nsjail/__init__.py ADDED Viewed

@@ -0,0 +1,21 @@
+"""nsjail-python: Python wrapper for Google's nsjail sandboxing tool."""
+from nsjail.config import Exe, IdMap, MountPt, NsJailConfig
+from nsjail.enums import LogLevel, Mode, RLimitType
+from nsjail.builder import Jail
+from nsjail.presets import sandbox
+from nsjail.runner import NsJailResult, Runner
+__all__ = [
+    "Exe",
+    "IdMap",
+    "Jail",
+    "LogLevel",
+    "Mode",
+    "MountPt",
+    "NsJailConfig",
+    "NsJailResult",
+    "RLimitType",
+    "Runner",
+    "sandbox",
+]

nsjail/_field_meta.py ADDED Viewed

@@ -0,0 +1,177 @@
+# GENERATED from nsjail config.proto — DO NOT EDIT
+# Re-run: python -m _codegen.generate
+from __future__ import annotations
+from dataclasses import dataclass
+@dataclass(frozen=True)
+class FieldMeta:
+    """Metadata about a single proto field."""
+    number: int
+    proto_type: str
+    default: object
+    cli_flag: str | None
+    cli_supported: bool
+    is_repeated: bool
+    is_message: bool
+FIELD_REGISTRY: dict[tuple[str, str], FieldMeta] = {}
+def _r(msg: str, name: str, **kwargs: object) -> None:
+    FIELD_REGISTRY[(msg, name)] = FieldMeta(**kwargs)  # type: ignore[arg-type]
+# ── UserNet (19 fields) ───────────────────────────────────────────────────────
+_r("UserNet", "enable", number=1, proto_type="bool", default=False, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("UserNet", "ip", number=2, proto_type="string", default="10.255.255.2", cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("UserNet", "mask", number=3, proto_type="string", default="255.255.255.0", cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("UserNet", "gw", number=4, proto_type="string", default="10.255.255.1", cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("UserNet", "ip6", number=5, proto_type="string", default="fc00::2", cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("UserNet", "mask6", number=6, proto_type="string", default="64", cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("UserNet", "gw6", number=7, proto_type="string", default="fc00::1", cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("UserNet", "ns_iface", number=8, proto_type="string", default="eth0", cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("UserNet", "tcp_ports", number=9, proto_type="string", default="none", cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("UserNet", "udp_ports", number=10, proto_type="string", default="none", cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("UserNet", "enable_ip4_dhcp", number=11, proto_type="bool", default=False, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("UserNet", "enable_dns", number=12, proto_type="bool", default=False, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("UserNet", "dns_forward", number=13, proto_type="string", default="", cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("UserNet", "enable_tcp", number=14, proto_type="bool", default=True, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("UserNet", "enable_udp", number=15, proto_type="bool", default=True, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("UserNet", "enable_icmp", number=16, proto_type="bool", default=True, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("UserNet", "no_map_gw", number=17, proto_type="bool", default=False, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("UserNet", "enable_ip6_dhcp", number=18, proto_type="bool", default=False, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("UserNet", "enable_ip6_ra", number=19, proto_type="bool", default=False, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+# ── IdMap (4 fields) ─────────────────────────────────────────────────────────
+_r("IdMap", "inside_id", number=1, proto_type="string", default="", cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("IdMap", "outside_id", number=2, proto_type="string", default="", cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("IdMap", "count", number=3, proto_type="uint32", default=1, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("IdMap", "use_newidmap", number=4, proto_type="bool", default=False, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+# ── MountPt (15 fields) ───────────────────────────────────────────────────────
+_r("MountPt", "src", number=1, proto_type="string", default=None, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("MountPt", "prefix_src_env", number=2, proto_type="string", default=None, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("MountPt", "src_content", number=3, proto_type="bytes", default=None, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("MountPt", "dst", number=4, proto_type="string", default=None, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("MountPt", "prefix_dst_env", number=5, proto_type="string", default=None, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("MountPt", "fstype", number=6, proto_type="string", default=None, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("MountPt", "options", number=7, proto_type="string", default=None, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("MountPt", "is_bind", number=8, proto_type="bool", default=False, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("MountPt", "rw", number=9, proto_type="bool", default=False, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("MountPt", "is_dir", number=10, proto_type="bool", default=None, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("MountPt", "mandatory", number=11, proto_type="bool", default=True, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("MountPt", "is_symlink", number=12, proto_type="bool", default=False, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("MountPt", "nosuid", number=13, proto_type="bool", default=False, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("MountPt", "nodev", number=14, proto_type="bool", default=False, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("MountPt", "noexec", number=15, proto_type="bool", default=False, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+# ── Exe (4 fields) ───────────────────────────────────────────────────────────
+_r("Exe", "path", number=1, proto_type="string", default=None, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("Exe", "arg", number=2, proto_type="string", default=[], cli_flag=None, cli_supported=False, is_repeated=True, is_message=False)
+_r("Exe", "arg0", number=3, proto_type="string", default=None, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("Exe", "exec_fd", number=4, proto_type="bool", default=False, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+# ── NsJailConfig (96 fields) ──────────────────────────────────────────────────
+_r("NsJailConfig", "name", number=1, proto_type="string", default=None, cli_flag="--name", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "description", number=2, proto_type="string", default=[], cli_flag=None, cli_supported=False, is_repeated=True, is_message=False)
+_r("NsJailConfig", "mode", number=3, proto_type="enum", default=1, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("NsJailConfig", "hostname", number=4, proto_type="string", default="NSJAIL", cli_flag="--hostname", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "cwd", number=5, proto_type="string", default="/", cli_flag="--cwd", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "no_pivotroot", number=6, proto_type="bool", default=False, cli_flag="--no_pivotroot", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "port", number=7, proto_type="uint32", default=0, cli_flag="--port", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "bindhost", number=8, proto_type="string", default="::", cli_flag="--bindhost", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "max_conns", number=9, proto_type="uint32", default=0, cli_flag="--max_conns", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "max_conns_per_ip", number=10, proto_type="uint32", default=0, cli_flag="--max_conns_per_ip", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "time_limit", number=11, proto_type="uint32", default=600, cli_flag="--time_limit", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "daemon", number=12, proto_type="bool", default=False, cli_flag="--daemon", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "max_cpus", number=13, proto_type="uint32", default=0, cli_flag="--max_cpus", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "nice_level", number=14, proto_type="int32", default=19, cli_flag="--nice_level", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "log_fd", number=15, proto_type="int32", default=None, cli_flag="--log_fd", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "log_file", number=16, proto_type="string", default=None, cli_flag="--log", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "log_level", number=17, proto_type="enum", default=None, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("NsJailConfig", "keep_env", number=18, proto_type="bool", default=False, cli_flag="--keep_env", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "envar", number=19, proto_type="string", default=[], cli_flag="--env", cli_supported=True, is_repeated=True, is_message=False)
+_r("NsJailConfig", "keep_caps", number=20, proto_type="bool", default=False, cli_flag="--keep_caps", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "cap", number=21, proto_type="string", default=[], cli_flag="--cap", cli_supported=True, is_repeated=True, is_message=False)
+_r("NsJailConfig", "silent", number=22, proto_type="bool", default=False, cli_flag="--silent", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "skip_setsid", number=23, proto_type="bool", default=False, cli_flag="--skip_setsid", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "stderr_to_null", number=24, proto_type="bool", default=False, cli_flag="--stderr_to_null", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "pass_fd", number=25, proto_type="int32", default=[], cli_flag="--pass_fd", cli_supported=True, is_repeated=True, is_message=False)
+_r("NsJailConfig", "disable_no_new_privs", number=26, proto_type="bool", default=False, cli_flag="--disable_no_new_privs", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "forward_signals", number=27, proto_type="bool", default=False, cli_flag="--forward_signals", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "disable_tsc", number=28, proto_type="bool", default=False, cli_flag="--disable_tsc", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "rlimit_as", number=29, proto_type="uint64", default=4096, cli_flag="--rlimit_as", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "rlimit_as_type", number=30, proto_type="enum", default=0, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("NsJailConfig", "rlimit_core", number=31, proto_type="uint64", default=0, cli_flag="--rlimit_core", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "rlimit_core_type", number=32, proto_type="enum", default=0, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("NsJailConfig", "rlimit_cpu", number=33, proto_type="uint64", default=600, cli_flag="--rlimit_cpu", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "rlimit_cpu_type", number=34, proto_type="enum", default=0, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("NsJailConfig", "rlimit_fsize", number=35, proto_type="uint64", default=1, cli_flag="--rlimit_fsize", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "rlimit_fsize_type", number=36, proto_type="enum", default=0, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("NsJailConfig", "rlimit_nofile", number=37, proto_type="uint64", default=32, cli_flag="--rlimit_nofile", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "rlimit_nofile_type", number=38, proto_type="enum", default=0, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("NsJailConfig", "rlimit_nproc", number=39, proto_type="uint64", default=1024, cli_flag="--rlimit_nproc", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "rlimit_nproc_type", number=40, proto_type="enum", default=1, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("NsJailConfig", "rlimit_stack", number=41, proto_type="uint64", default=8, cli_flag="--rlimit_stack", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "rlimit_stack_type", number=42, proto_type="enum", default=1, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("NsJailConfig", "rlimit_memlock", number=43, proto_type="uint64", default=64, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("NsJailConfig", "rlimit_memlock_type", number=44, proto_type="enum", default=1, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("NsJailConfig", "rlimit_rtprio", number=45, proto_type="uint64", default=0, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("NsJailConfig", "rlimit_rtprio_type", number=46, proto_type="enum", default=1, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("NsJailConfig", "rlimit_msgqueue", number=47, proto_type="uint64", default=1024, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("NsJailConfig", "rlimit_msgqueue_type", number=48, proto_type="enum", default=1, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("NsJailConfig", "disable_rl", number=49, proto_type="bool", default=False, cli_flag="--disable_rl", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "persona_addr_compat_layout", number=50, proto_type="bool", default=False, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("NsJailConfig", "persona_mmap_page_zero", number=51, proto_type="bool", default=False, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("NsJailConfig", "persona_read_implies_exec", number=52, proto_type="bool", default=False, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("NsJailConfig", "persona_addr_limit_3gb", number=53, proto_type="bool", default=False, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("NsJailConfig", "persona_addr_no_randomize", number=54, proto_type="bool", default=False, cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("NsJailConfig", "clone_newnet", number=55, proto_type="bool", default=True, cli_flag=None, cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "clone_newuser", number=56, proto_type="bool", default=True, cli_flag=None, cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "clone_newns", number=57, proto_type="bool", default=True, cli_flag=None, cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "clone_newpid", number=58, proto_type="bool", default=True, cli_flag=None, cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "clone_newipc", number=59, proto_type="bool", default=True, cli_flag=None, cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "clone_newuts", number=60, proto_type="bool", default=True, cli_flag=None, cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "clone_newcgroup", number=61, proto_type="bool", default=True, cli_flag=None, cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "clone_newtime", number=62, proto_type="bool", default=False, cli_flag=None, cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "uidmap", number=63, proto_type="message", default=[], cli_flag="--uid_mapping", cli_supported=True, is_repeated=True, is_message=True)
+_r("NsJailConfig", "gidmap", number=64, proto_type="message", default=[], cli_flag="--gid_mapping", cli_supported=True, is_repeated=True, is_message=True)
+_r("NsJailConfig", "mount_proc", number=65, proto_type="bool", default=False, cli_flag="--mount_proc", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "mount", number=66, proto_type="message", default=[], cli_flag=None, cli_supported=False, is_repeated=True, is_message=True)
+_r("NsJailConfig", "seccomp_policy_file", number=67, proto_type="string", default=None, cli_flag="--seccomp_policy", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "seccomp_string", number=68, proto_type="string", default=[], cli_flag="--seccomp_string", cli_supported=True, is_repeated=True, is_message=False)
+_r("NsJailConfig", "seccomp_log", number=69, proto_type="bool", default=False, cli_flag="--seccomp_log", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "cgroup_mem_max", number=70, proto_type="uint64", default=0, cli_flag="--cgroup_mem_max", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "cgroup_mem_memsw_max", number=71, proto_type="uint64", default=0, cli_flag="--cgroup_mem_memsw_max", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "cgroup_mem_swap_max", number=72, proto_type="int64", default=-1, cli_flag="--cgroup_mem_swap_max", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "cgroup_mem_mount", number=73, proto_type="string", default="/sys/fs/cgroup/memory", cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("NsJailConfig", "cgroup_mem_parent", number=74, proto_type="string", default="NSJAIL", cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("NsJailConfig", "cgroup_pids_max", number=75, proto_type="uint64", default=0, cli_flag="--cgroup_pids_max", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "cgroup_pids_mount", number=76, proto_type="string", default="/sys/fs/cgroup/pids", cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("NsJailConfig", "cgroup_pids_parent", number=77, proto_type="string", default="NSJAIL", cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("NsJailConfig", "cgroup_net_cls_classid", number=78, proto_type="uint32", default=0, cli_flag="--cgroup_net_cls_classid", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "cgroup_net_cls_mount", number=79, proto_type="string", default="/sys/fs/cgroup/net_cls", cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("NsJailConfig", "cgroup_net_cls_parent", number=80, proto_type="string", default="NSJAIL", cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("NsJailConfig", "cgroup_cpu_ms_per_sec", number=81, proto_type="uint32", default=0, cli_flag="--cgroup_cpu_ms_per_sec", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "cgroup_cpu_mount", number=82, proto_type="string", default="/sys/fs/cgroup/cpu", cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("NsJailConfig", "cgroup_cpu_parent", number=83, proto_type="string", default="NSJAIL", cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("NsJailConfig", "cgroupv2_mount", number=84, proto_type="string", default="/sys/fs/cgroup", cli_flag=None, cli_supported=False, is_repeated=False, is_message=False)
+_r("NsJailConfig", "use_cgroupv2", number=85, proto_type="bool", default=False, cli_flag="--use_cgroupv2", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "detect_cgroupv2", number=86, proto_type="bool", default=False, cli_flag="--detect_cgroupv2", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "iface_no_lo", number=87, proto_type="bool", default=False, cli_flag="--iface_no_lo", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "iface_own", number=88, proto_type="string", default=[], cli_flag="--iface_own", cli_supported=True, is_repeated=True, is_message=False)
+_r("NsJailConfig", "macvlan_iface", number=89, proto_type="string", default=None, cli_flag="--macvlan_iface", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "macvlan_vs_ip", number=90, proto_type="string", default="192.168.0.2", cli_flag="--macvlan_vs_ip", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "macvlan_vs_nm", number=91, proto_type="string", default="255.255.255.0", cli_flag="--macvlan_vs_nm", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "macvlan_vs_gw", number=92, proto_type="string", default="192.168.0.1", cli_flag="--macvlan_vs_gw", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "macvlan_vs_ma", number=93, proto_type="string", default="", cli_flag="--macvlan_vs_ma", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "macvlan_vs_mo", number=94, proto_type="string", default="private", cli_flag="--macvlan_vs_mo", cli_supported=True, is_repeated=False, is_message=False)
+_r("NsJailConfig", "user_net", number=95, proto_type="message", default=None, cli_flag=None, cli_supported=False, is_repeated=False, is_message=True)
+_r("NsJailConfig", "exec_bin", number=96, proto_type="message", default=None, cli_flag=None, cli_supported=False, is_repeated=False, is_message=True)
+del _r

nsjail/_proto/__init__.py ADDED Viewed

@@ -0,0 +1,57 @@
+"""Auto-generated protobuf module for nsjail config.proto.
+The config_pb2 module is generated from _vendor/nsjail/config.proto using
+grpc_tools.protoc. If the generated module does not exist, this package
+will attempt to generate it on first import.
+To regenerate manually:
+    python -m grpc_tools.protoc \\
+        --python_out=src/nsjail/_proto/ \\
+        --proto_path=_vendor/nsjail/ \\
+        config.proto
+"""
+from __future__ import annotations
+from pathlib import Path
+def _compile_proto() -> None:
+    """Compile config.proto using grpc_tools.protoc."""
+    try:
+        from grpc_tools import protoc
+    except ImportError as e:
+        raise ImportError(
+            "grpc_tools is required to compile config.proto. "
+            "Install it with: pip install grpcio-tools"
+        ) from e
+    proto_dir = Path(__file__).parent
+    # Walk up to find the repo root (where _vendor lives)
+    repo_root = proto_dir
+    for _ in range(10):
+        if (repo_root / "_vendor" / "nsjail" / "config.proto").exists():
+            break
+        repo_root = repo_root.parent
+    else:
+        raise FileNotFoundError(
+            "Could not find _vendor/nsjail/config.proto relative to package"
+        )
+    proto_path = str(repo_root / "_vendor" / "nsjail")
+    python_out = str(proto_dir)
+    ret = protoc.main([
+        "grpc_tools.protoc",
+        f"--proto_path={proto_path}",
+        f"--python_out={python_out}",
+        "config.proto",
+    ])
+    if ret != 0:
+        raise RuntimeError(f"grpc_tools.protoc failed with exit code {ret}")
+# Attempt to import config_pb2; compile if missing
+_pb2_path = Path(__file__).parent / "config_pb2.py"
+if not _pb2_path.exists():
+    _compile_proto()

nsjail/_proto/config_pb2.py ADDED Viewed

@@ -0,0 +1,50 @@
+# -*- coding: utf-8 -*-
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# NO CHECKED-IN PROTOBUF GENCODE
+# source: config.proto
+# Protobuf Python Version: 6.31.1
+"""Generated protocol buffer code."""
+from google.protobuf import descriptor as _descriptor
+from google.protobuf import descriptor_pool as _descriptor_pool
+from google.protobuf import runtime_version as _runtime_version
+from google.protobuf import symbol_database as _symbol_database
+from google.protobuf.internal import builder as _builder
+_runtime_version.ValidateProtobufRuntimeVersion(
+    _runtime_version.Domain.PUBLIC,
+    6,
+    31,
+    1,
+    '',
+    'config.proto'
+)
+# @@protoc_insertion_point(imports)
+_sym_db = _symbol_database.Default()
+DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile(b'\n\x0c\x63onfig.proto\x12\x06nsjail\"a\n\x05IdMap\x12\x13\n\tinside_id\x18\x01 \x01(\t:\x00\x12\x14\n\noutside_id\x18\x02 \x01(\t:\x00\x12\x10\n\x05\x63ount\x18\x03 \x01(\r:\x01\x31\x12\x1b\n\x0cuse_newidmap\x18\x04 \x01(\x08:\x05\x66\x61lse\"\xca\x02\n\x07MountPt\x12\r\n\x03src\x18\x01 \x01(\t:\x00\x12\x18\n\x0eprefix_src_env\x18\x02 \x01(\t:\x00\x12\x15\n\x0bsrc_content\x18\x03 \x01(\x0c:\x00\x12\r\n\x03\x64st\x18\x04 \x02(\t:\x00\x12\x18\n\x0eprefix_dst_env\x18\x05 \x01(\t:\x00\x12\x10\n\x06\x66stype\x18\x06 \x01(\t:\x00\x12\x11\n\x07options\x18\x07 \x01(\t:\x00\x12\x16\n\x07is_bind\x18\x08 \x01(\x08:\x05\x66\x61lse\x12\x11\n\x02rw\x18\t \x01(\x08:\x05\x66\x61lse\x12\x0e\n\x06is_dir\x18\n \x01(\x08\x12\x17\n\tmandatory\x18\x0b \x01(\x08:\x04true\x12\x19\n\nis_symlink\x18\x0c \x01(\x08:\x05\x66\x61lse\x12\x15\n\x06nosuid\x18\r \x01(\x08:\x05\x66\x61lse\x12\x14\n\x05nodev\x18\x0e \x01(\x08:\x05\x66\x61lse\x12\x15\n\x06noexec\x18\x0f \x01(\x08:\x05\x66\x61lse\"F\n\x03\x45xe\x12\x0c\n\x04path\x18\x01 \x02(\t\x12\x0b\n\x03\x61rg\x18\x02 \x03(\t\x12\x0c\n\x04\x61rg0\x18\x03 \x01(\t\x12\x16\n\x07\x65xec_fd\x18\x04 \x01(\x08:\x05\x66\x61lse\"\xe7\x1b\n\x0cNsJailConfig\x12\x0e\n\x04name\x18\x01 \x01(\t:\x00\x12\x13\n\x0b\x64\x65scription\x18\x02 \x03(\t\x12 \n\x04mode\x18\x03 \x01(\x0e\x32\x0c.nsjail.Mode:\x04ONCE\x12\x18\n\x08hostname\x18\x04 \x01(\t:\x06NSJAIL\x12\x0e\n\x03\x63wd\x18\x05 \x01(\t:\x01/\x12\x1b\n\x0cno_pivotroot\x18\x06 \x01(\x08:\x05\x66\x61lse\x12\x0f\n\x04port\x18\x07 \x01(\r:\x01\x30\x12\x14\n\x08\x62indhost\x18\x08 \x01(\t:\x02::\x12\x14\n\tmax_conns\x18\t \x01(\r:\x01\x30\x12\x1b\n\x10max_conns_per_ip\x18\n \x01(\r:\x01\x30\x12\x17\n\ntime_limit\x18\x0b \x01(\r:\x03\x36\x30\x30\x12\x15\n\x06\x64\x61\x65mon\x18\x0c \x01(\x08:\x05\x66\x61lse\x12\x13\n\x08max_cpus\x18\r \x01(\r:\x01\x30\x12\x16\n\nnice_level\x18\x0e \x01(\x05:\x02\x31\x39\x12\x0e\n\x06log_fd\x18\x0f \x01(\x05\x12\x10\n\x08log_file\x18\x10 \x01(\t\x12#\n\tlog_level\x18\x11 \x01(\x0e\x32\x10.nsjail.LogLevel\x12\x17\n\x08keep_env\x18\x12 \x01(\x08:\x05\x66\x61lse\x12\r\n\x05\x65nvar\x18\x13 \x03(\t\x12\x18\n\tkeep_caps\x18\x14 \x01(\x08:\x05\x66\x61lse\x12\x0b\n\x03\x63\x61p\x18\x15 \x03(\t\x12\x15\n\x06silent\x18\x16 \x01(\x08:\x05\x66\x61lse\x12\x1a\n\x0bskip_setsid\x18\x17 \x01(\x08:\x05\x66\x61lse\x12\x1d\n\x0estderr_to_null\x18\x18 \x01(\x08:\x05\x66\x61lse\x12\x0f\n\x07pass_fd\x18\x19 \x03(\x05\x12#\n\x14\x64isable_no_new_privs\x18\x1a \x01(\x08:\x05\x66\x61lse\x12\x1e\n\x0f\x66orward_signals\x18\x1b \x01(\x08:\x05\x66\x61lse\x12\x1a\n\x0b\x64isable_tsc\x18\x1c \x01(\x08:\x05\x66\x61lse\x12\x17\n\trlimit_as\x18\x1d \x01(\x04:\x04\x34\x30\x39\x36\x12-\n\x0erlimit_as_type\x18\x1e \x01(\x0e\x32\x0e.nsjail.RLimit:\x05VALUE\x12\x16\n\x0brlimit_core\x18\x1f \x01(\x04:\x01\x30\x12/\n\x10rlimit_core_type\x18  \x01(\x0e\x32\x0e.nsjail.RLimit:\x05VALUE\x12\x17\n\nrlimit_cpu\x18! \x01(\x04:\x03\x36\x30\x30\x12.\n\x0frlimit_cpu_type\x18\" \x01(\x0e\x32\x0e.nsjail.RLimit:\x05VALUE\x12\x17\n\x0crlimit_fsize\x18# \x01(\x04:\x01\x31\x12\x30\n\x11rlimit_fsize_type\x18$ \x01(\x0e\x32\x0e.nsjail.RLimit:\x05VALUE\x12\x19\n\rrlimit_nofile\x18% \x01(\x04:\x02\x33\x32\x12\x31\n\x12rlimit_nofile_type\x18& \x01(\x0e\x32\x0e.nsjail.RLimit:\x05VALUE\x12\x1a\n\x0crlimit_nproc\x18\' \x01(\x04:\x04\x31\x30\x32\x34\x12/\n\x11rlimit_nproc_type\x18( \x01(\x0e\x32\x0e.nsjail.RLimit:\x04SOFT\x12\x17\n\x0crlimit_stack\x18) \x01(\x04:\x01\x38\x12/\n\x11rlimit_stack_type\x18* \x01(\x0e\x32\x0e.nsjail.RLimit:\x04SOFT\x12\x1a\n\x0erlimit_memlock\x18+ \x01(\x04:\x02\x36\x34\x12\x31\n\x13rlimit_memlock_type\x18, \x01(\x0e\x32\x0e.nsjail.RLimit:\x04SOFT\x12\x18\n\rrlimit_rtprio\x18- \x01(\x04:\x01\x30\x12\x30\n\x12rlimit_rtprio_type\x18. \x01(\x0e\x32\x0e.nsjail.RLimit:\x04SOFT\x12\x1d\n\x0frlimit_msgqueue\x18/ \x01(\x04:\x04\x31\x30\x32\x34\x12\x32\n\x14rlimit_msgqueue_type\x18\x30 \x01(\x0e\x32\x0e.nsjail.RLimit:\x04SOFT\x12\x19\n\ndisable_rl\x18\x31 \x01(\x08:\x05\x66\x61lse\x12)\n\x1apersona_addr_compat_layout\x18\x32 \x01(\x08:\x05\x66\x61lse\x12%\n\x16persona_mmap_page_zero\x18\x33 \x01(\x08:\x05\x66\x61lse\x12(\n\x19persona_read_implies_exec\x18\x34 \x01(\x08:\x05\x66\x61lse\x12%\n\x16persona_addr_limit_3gb\x18\x35 \x01(\x08:\x05\x66\x61lse\x12(\n\x19persona_addr_no_randomize\x18\x36 \x01(\x08:\x05\x66\x61lse\x12\x1a\n\x0c\x63lone_newnet\x18\x37 \x01(\x08:\x04true\x12\x1b\n\rclone_newuser\x18\x38 \x01(\x08:\x04true\x12\x19\n\x0b\x63lone_newns\x18\x39 \x01(\x08:\x04true\x12\x1a\n\x0c\x63lone_newpid\x18: \x01(\x08:\x04true\x12\x1a\n\x0c\x63lone_newipc\x18; \x01(\x08:\x04true\x12\x1a\n\x0c\x63lone_newuts\x18< \x01(\x08:\x04true\x12\x1d\n\x0f\x63lone_newcgroup\x18= \x01(\x08:\x04true\x12\x1c\n\rclone_newtime\x18> \x01(\x08:\x05\x66\x61lse\x12\x1d\n\x06uidmap\x18? \x03(\x0b\x32\r.nsjail.IdMap\x12\x1d\n\x06gidmap\x18@ \x03(\x0b\x32\r.nsjail.IdMap\x12\x19\n\nmount_proc\x18\x41 \x01(\x08:\x05\x66\x61lse\x12\x1e\n\x05mount\x18\x42 \x03(\x0b\x32\x0f.nsjail.MountPt\x12\x1b\n\x13seccomp_policy_file\x18\x43 \x01(\t\x12\x16\n\x0eseccomp_string\x18\x44 \x03(\t\x12\x1a\n\x0bseccomp_log\x18\x45 \x01(\x08:\x05\x66\x61lse\x12\x19\n\x0e\x63group_mem_max\x18\x46 \x01(\x04:\x01\x30\x12\x1f\n\x14\x63group_mem_memsw_max\x18G \x01(\x04:\x01\x30\x12\x1f\n\x13\x63group_mem_swap_max\x18H \x01(\x03:\x02-1\x12/\n\x10\x63group_mem_mount\x18I \x01(\t:\x15/sys/fs/cgroup/memory\x12!\n\x11\x63group_mem_parent\x18J \x01(\t:\x06NSJAIL\x12\x1a\n\x0f\x63group_pids_max\x18K \x01(\x04:\x01\x30\x12.\n\x11\x63group_pids_mount\x18L \x01(\t:\x13/sys/fs/cgroup/pids\x12\"\n\x12\x63group_pids_parent\x18M \x01(\t:\x06NSJAIL\x12!\n\x16\x63group_net_cls_classid\x18N \x01(\r:\x01\x30\x12\x34\n\x14\x63group_net_cls_mount\x18O \x01(\t:\x16/sys/fs/cgroup/net_cls\x12%\n\x15\x63group_net_cls_parent\x18P \x01(\t:\x06NSJAIL\x12 \n\x15\x63group_cpu_ms_per_sec\x18Q \x01(\r:\x01\x30\x12,\n\x10\x63group_cpu_mount\x18R \x01(\t:\x12/sys/fs/cgroup/cpu\x12!\n\x11\x63group_cpu_parent\x18S \x01(\t:\x06NSJAIL\x12&\n\x0e\x63groupv2_mount\x18T \x01(\t:\x0e/sys/fs/cgroup\x12\x1b\n\x0cuse_cgroupv2\x18U \x01(\x08:\x05\x66\x61lse\x12\x1e\n\x0f\x64\x65tect_cgroupv2\x18V \x01(\x08:\x05\x66\x61lse\x12\x1a\n\x0biface_no_lo\x18W \x01(\x08:\x05\x66\x61lse\x12\x11\n\tiface_own\x18X \x03(\t\x12\x15\n\rmacvlan_iface\x18Y \x01(\t\x12\"\n\rmacvlan_vs_ip\x18Z \x01(\t:\x0b\x31\x39\x32.168.0.2\x12$\n\rmacvlan_vs_nm\x18[ \x01(\t:\r255.255.255.0\x12\"\n\rmacvlan_vs_gw\x18\\ \x01(\t:\x0b\x31\x39\x32.168.0.1\x12\x17\n\rmacvlan_vs_ma\x18] \x01(\t:\x00\x12\x1e\n\rmacvlan_vs_mo\x18^ \x01(\t:\x07private\x12.\n\x08user_net\x18_ \x01(\x0b\x32\x1c.nsjail.NsJailConfig.UserNet\x12\x1d\n\x08\x65xec_bin\x18` \x01(\x0b\x32\x0b.nsjail.Exe\x1a\xf3\x03\n\x07UserNet\x12\x15\n\x06\x65nable\x18\x01 \x01(\x08:\x05\x66\x61lse\x12\x18\n\x02ip\x18\x02 \x01(\t:\x0c\x31\x30.255.255.2\x12\x1b\n\x04mask\x18\x03 \x01(\t:\r255.255.255.0\x12\x18\n\x02gw\x18\x04 \x01(\t:\x0c\x31\x30.255.255.1\x12\x14\n\x03ip6\x18\x05 \x01(\t:\x07\x66\x63\x30\x30::2\x12\x11\n\x05mask6\x18\x06 \x01(\t:\x02\x36\x34\x12\x14\n\x03gw6\x18\x07 \x01(\t:\x07\x66\x63\x30\x30::1\x12\x16\n\x08ns_iface\x18\x08 \x01(\t:\x04\x65th0\x12\x17\n\ttcp_ports\x18\t \x01(\t:\x04none\x12\x17\n\tudp_ports\x18\n \x01(\t:\x04none\x12\x1e\n\x0f\x65nable_ip4_dhcp\x18\x0b \x01(\x08:\x05\x66\x61lse\x12\x19\n\nenable_dns\x18\x0c \x01(\x08:\x05\x66\x61lse\x12\x15\n\x0b\x64ns_forward\x18\r \x01(\t:\x00\x12\x18\n\nenable_tcp\x18\x0e \x01(\x08:\x04true\x12\x18\n\nenable_udp\x18\x0f \x01(\x08:\x04true\x12\x19\n\x0b\x65nable_icmp\x18\x10 \x01(\x08:\x04true\x12\x18\n\tno_map_gw\x18\x11 \x01(\x08:\x05\x66\x61lse\x12\x1e\n\x0f\x65nable_ip6_dhcp\x18\x12 \x01(\x08:\x05\x66\x61lse\x12\x1c\n\renable_ip6_ra\x18\x13 \x01(\x08:\x05\x66\x61lse*3\n\x04Mode\x12\n\n\x06LISTEN\x10\x00\x12\x08\n\x04ONCE\x10\x01\x12\t\n\x05RERUN\x10\x02\x12\n\n\x06\x45XECVE\x10\x03*B\n\x08LogLevel\x12\t\n\x05\x44\x45\x42UG\x10\x00\x12\x08\n\x04INFO\x10\x01\x12\x0b\n\x07WARNING\x10\x02\x12\t\n\x05\x45RROR\x10\x03\x12\t\n\x05\x46\x41TAL\x10\x04*0\n\x06RLimit\x12\t\n\x05VALUE\x10\x00\x12\x08\n\x04SOFT\x10\x01\x12\x08\n\x04HARD\x10\x02\x12\x07\n\x03INF\x10\x03')
+_globals = globals()
+_builder.BuildMessageAndEnumDescriptors(DESCRIPTOR, _globals)
+_builder.BuildTopDescriptorsAndMessages(DESCRIPTOR, 'config_pb2', _globals)
+if not _descriptor._USE_C_DESCRIPTORS:
+  DESCRIPTOR._loaded_options = None
+  _globals['_MODE']._serialized_start=4090
+  _globals['_MODE']._serialized_end=4141
+  _globals['_LOGLEVEL']._serialized_start=4143
+  _globals['_LOGLEVEL']._serialized_end=4209
+  _globals['_RLIMIT']._serialized_start=4211
+  _globals['_RLIMIT']._serialized_end=4259
+  _globals['_IDMAP']._serialized_start=24
+  _globals['_IDMAP']._serialized_end=121
+  _globals['_MOUNTPT']._serialized_start=124
+  _globals['_MOUNTPT']._serialized_end=454
+  _globals['_EXE']._serialized_start=456
+  _globals['_EXE']._serialized_end=526
+  _globals['_NSJAILCONFIG']._serialized_start=529
+  _globals['_NSJAILCONFIG']._serialized_end=4088
+  _globals['_NSJAILCONFIG_USERNET']._serialized_start=3589
+  _globals['_NSJAILCONFIG_USERNET']._serialized_end=4088
+# @@protoc_insertion_point(module_scope)

nsjail/builder.py ADDED Viewed

@@ -0,0 +1,151 @@
+"""Fluent builder for NsJailConfig."""
+from __future__ import annotations
+from typing import Literal, TYPE_CHECKING
+if TYPE_CHECKING:
+    from nsjail.runner import Runner, NsJailResult
+from nsjail.config import Exe, IdMap, MountPt, NsJailConfig
+from nsjail.presets import (
+    apply_cgroup_limits,
+    apply_readonly_root,
+    apply_seccomp_log,
+)
+class Jail:
+    """Fluent builder for NsJailConfig."""
+    def __init__(self) -> None:
+        self._cfg = NsJailConfig()
+    def build(self) -> NsJailConfig:
+        return self._cfg
+    # --- Command builders ---
+    def command(self, *args: str) -> Jail:
+        self._cfg.exec_bin = Exe(path=args[0], arg=list(args[1:]))
+        return self
+    def sh(self, script: str) -> Jail:
+        self._cfg.exec_bin = Exe(path="/bin/sh", arg=["-c", script])
+        return self
+    def python(self, *args: str) -> Jail:
+        self._cfg.exec_bin = Exe(path="/usr/bin/python3", arg=list(args))
+        return self
+    def bash(self, *args: str) -> Jail:
+        self._cfg.exec_bin = Exe(path="/bin/bash", arg=list(args))
+        return self
+    # --- Resource limits ---
+    def timeout(self, seconds: int) -> Jail:
+        self._cfg.time_limit = seconds
+        return self
+    def memory(self, amount: int, unit: Literal["MB", "GB"] = "MB") -> Jail:
+        if unit == "GB":
+            memory_mb = amount * 1024
+        else:
+            memory_mb = amount
+        apply_cgroup_limits(self._cfg, memory_mb=memory_mb)
+        return self
+    def cpu(self, ms_per_sec: int) -> Jail:
+        apply_cgroup_limits(self._cfg, cpu_ms_per_sec=ms_per_sec)
+        return self
+    def pids(self, max_pids: int) -> Jail:
+        apply_cgroup_limits(self._cfg, pids_max=max_pids)
+        return self
+    # --- Namespace control ---
+    def no_network(self) -> Jail:
+        self._cfg.clone_newnet = True
+        return self
+    def network(self) -> Jail:
+        self._cfg.clone_newnet = False
+        return self
+    # --- Filesystem ---
+    def readonly_root(self) -> Jail:
+        apply_readonly_root(self._cfg)
+        return self
+    def writable(self, path: str, *, tmpfs: bool = False, size: str | None = None) -> Jail:
+        if tmpfs:
+            options = f"size={size}" if size else None
+            self._cfg.mount.append(
+                MountPt(dst=path, fstype="tmpfs", rw=True, is_dir=True, options=options)
+            )
+        else:
+            self._cfg.mount.append(
+                MountPt(src=path, dst=path, is_bind=True, rw=True)
+            )
+        return self
+    def mount(self, src: str, dst: str, *, readonly: bool = False) -> Jail:
+        self._cfg.mount.append(
+            MountPt(src=src, dst=dst, is_bind=True, rw=not readonly)
+        )
+        return self
+    # --- Environment ---
+    def env(self, var: str) -> Jail:
+        self._cfg.envar.append(var)
+        return self
+    def cwd(self, path: str) -> Jail:
+        self._cfg.cwd = path
+        return self
+    # --- Security ---
+    def seccomp_log(self) -> Jail:
+        apply_seccomp_log(self._cfg)
+        return self
+    def uid_map(self, *, inside: int = 0, outside: int = 1000, count: int = 1) -> Jail:
+        self._cfg.uidmap.append(
+            IdMap(inside_id=str(inside), outside_id=str(outside), count=count)
+        )
+        return self
+    # --- Execution ---
+    def run(self, *, runner: Runner | None = None, **run_kwargs: object) -> NsJailResult:
+        """Execute the built config via a Runner."""
+        from nsjail.runner import Runner as _Runner
+        r = runner or _Runner()
+        temp = _Runner(
+            base_config=self._cfg,
+            nsjail_path=r._nsjail_path,
+            render_mode=r._render_mode,
+            capture_output=r._capture_output,
+            keep_config=r._keep_config,
+        )
+        return temp.run(**run_kwargs)
+    async def async_run(self, *, runner: Runner | None = None, **run_kwargs: object) -> NsJailResult:
+        """Execute the built config asynchronously via a Runner."""
+        from nsjail.runner import Runner as _Runner
+        r = runner or _Runner()
+        temp = _Runner(
+            base_config=self._cfg,
+            nsjail_path=r._nsjail_path,
+            render_mode=r._render_mode,
+            capture_output=r._capture_output,
+            keep_config=r._keep_config,
+        )
+        return await temp.async_run(**run_kwargs)

nsjail/config.py ADDED Viewed

@@ -0,0 +1,168 @@
+# GENERATED from nsjail config.proto — DO NOT EDIT
+# Re-run: python -m _codegen.generate
+from __future__ import annotations
+from dataclasses import dataclass, field
+from enum import IntEnum
+from nsjail.enums import LogLevel, Mode, RLimitType
+@dataclass
+class UserNet:
+    enable: bool = False
+    ip: str = "10.255.255.2"
+    mask: str = "255.255.255.0"
+    gw: str = "10.255.255.1"
+    ip6: str = "fc00::2"
+    mask6: str = "64"
+    gw6: str = "fc00::1"
+    ns_iface: str = "eth0"
+    tcp_ports: str = "none"
+    udp_ports: str = "none"
+    enable_ip4_dhcp: bool = False
+    enable_dns: bool = False
+    dns_forward: str = ""
+    enable_tcp: bool = True
+    enable_udp: bool = True
+    enable_icmp: bool = True
+    no_map_gw: bool = False
+    enable_ip6_dhcp: bool = False
+    enable_ip6_ra: bool = False
+@dataclass
+class IdMap:
+    inside_id: str = ""
+    outside_id: str = ""
+    count: int = 1
+    use_newidmap: bool = False
+@dataclass
+class MountPt:
+    src: str | None = None
+    prefix_src_env: str | None = None
+    src_content: bytes | None = None
+    dst: str | None = None
+    prefix_dst_env: str | None = None
+    fstype: str | None = None
+    options: str | None = None
+    is_bind: bool = False
+    rw: bool = False
+    is_dir: bool | None = None
+    mandatory: bool = True
+    is_symlink: bool = False
+    nosuid: bool = False
+    nodev: bool = False
+    noexec: bool = False
+@dataclass
+class Exe:
+    path: str | None = None
+    arg: list[str] = field(default_factory=list)
+    arg0: str | None = None
+    exec_fd: bool = False
+@dataclass
+class NsJailConfig:
+    name: str | None = None
+    description: list[str] = field(default_factory=list)
+    mode: Mode = Mode.ONCE
+    hostname: str = "NSJAIL"
+    cwd: str = "/"
+    no_pivotroot: bool = False
+    port: int = 0
+    bindhost: str = "::"
+    max_conns: int = 0
+    max_conns_per_ip: int = 0
+    time_limit: int = 600
+    daemon: bool = False
+    max_cpus: int = 0
+    nice_level: int = 19
+    log_fd: int | None = None
+    log_file: str | None = None
+    log_level: LogLevel | None = None
+    keep_env: bool = False
+    envar: list[str] = field(default_factory=list)
+    keep_caps: bool = False
+    cap: list[str] = field(default_factory=list)
+    silent: bool = False
+    skip_setsid: bool = False
+    stderr_to_null: bool = False
+    pass_fd: list[int] = field(default_factory=list)
+    disable_no_new_privs: bool = False
+    forward_signals: bool = False
+    disable_tsc: bool = False
+    rlimit_as: int = 4096
+    rlimit_as_type: RLimitType = RLimitType.VALUE
+    rlimit_core: int = 0
+    rlimit_core_type: RLimitType = RLimitType.VALUE
+    rlimit_cpu: int = 600
+    rlimit_cpu_type: RLimitType = RLimitType.VALUE
+    rlimit_fsize: int = 1
+    rlimit_fsize_type: RLimitType = RLimitType.VALUE
+    rlimit_nofile: int = 32
+    rlimit_nofile_type: RLimitType = RLimitType.VALUE
+    rlimit_nproc: int = 1024
+    rlimit_nproc_type: RLimitType = RLimitType.SOFT
+    rlimit_stack: int = 8
+    rlimit_stack_type: RLimitType = RLimitType.SOFT
+    rlimit_memlock: int = 64
+    rlimit_memlock_type: RLimitType = RLimitType.SOFT
+    rlimit_rtprio: int = 0
+    rlimit_rtprio_type: RLimitType = RLimitType.SOFT
+    rlimit_msgqueue: int = 1024
+    rlimit_msgqueue_type: RLimitType = RLimitType.SOFT
+    disable_rl: bool = False
+    persona_addr_compat_layout: bool = False
+    persona_mmap_page_zero: bool = False
+    persona_read_implies_exec: bool = False
+    persona_addr_limit_3gb: bool = False
+    persona_addr_no_randomize: bool = False
+    clone_newnet: bool = True
+    clone_newuser: bool = True
+    clone_newns: bool = True
+    clone_newpid: bool = True
+    clone_newipc: bool = True
+    clone_newuts: bool = True
+    clone_newcgroup: bool = True
+    clone_newtime: bool = False
+    uidmap: list[IdMap] = field(default_factory=list)
+    gidmap: list[IdMap] = field(default_factory=list)
+    mount_proc: bool = False
+    mount: list[MountPt] = field(default_factory=list)
+    seccomp_policy_file: str | None = None
+    seccomp_string: list[str] = field(default_factory=list)
+    seccomp_log: bool = False
+    cgroup_mem_max: int = 0
+    cgroup_mem_memsw_max: int = 0
+    cgroup_mem_swap_max: int = -1
+    cgroup_mem_mount: str = "/sys/fs/cgroup/memory"
+    cgroup_mem_parent: str = "NSJAIL"
+    cgroup_pids_max: int = 0
+    cgroup_pids_mount: str = "/sys/fs/cgroup/pids"
+    cgroup_pids_parent: str = "NSJAIL"
+    cgroup_net_cls_classid: int = 0
+    cgroup_net_cls_mount: str = "/sys/fs/cgroup/net_cls"
+    cgroup_net_cls_parent: str = "NSJAIL"
+    cgroup_cpu_ms_per_sec: int = 0
+    cgroup_cpu_mount: str = "/sys/fs/cgroup/cpu"
+    cgroup_cpu_parent: str = "NSJAIL"
+    cgroupv2_mount: str = "/sys/fs/cgroup"
+    use_cgroupv2: bool = False
+    detect_cgroupv2: bool = False
+    iface_no_lo: bool = False
+    iface_own: list[str] = field(default_factory=list)
+    macvlan_iface: str | None = None
+    macvlan_vs_ip: str = "192.168.0.2"
+    macvlan_vs_nm: str = "255.255.255.0"
+    macvlan_vs_gw: str = "192.168.0.1"
+    macvlan_vs_ma: str = ""
+    macvlan_vs_mo: str = "private"
+    user_net: UserNet | None = None
+    exec_bin: Exe | None = None