|
Donner 0.5.1
Embeddable browser-grade SVG2 engine
|
|
|
Donner 0.5.1
Embeddable browser-grade SVG2 engine
|
Knobs for which hardening measures to apply. Defaults match the "strict production sandbox child" profile the design doc calls out. Tests and developer tools can relax individual measures — e.g., setting requireSandboxEnv = false makes the child runnable by hand under a debugger. More...
#include "donner/editor/sandbox/SandboxHardening.h"
Public Attributes | |
| bool | requireSandboxEnv = true |
| Verify that DONNER_SANDBOX=1 is set in the environment. The child refuses to run otherwise. Set to false only for ad-hoc developer debugging — the SandboxHost always sets this in production. | |
| std::size_t | addressSpaceBytes = 1024uLL * 1024uLL * 1024uLL |
| RLIMIT_AS cap in bytes. 0 means "leave unset". Default 1 GiB — large enough for any real SVG the parser might touch, small enough that a runaway allocation is caught at the kernel boundary. | |
| unsigned int | cpuSeconds = 30 |
| RLIMIT_CPU cap in wall seconds. 0 = unset. Default 30 s. | |
| std::size_t | maxFileBytes = 0 |
| RLIMIT_FSIZE cap in bytes. 0 means "no file writes allowed" — pipe writes (stdout) are unaffected because pipes are not regular files. | |
| unsigned int | maxOpenFiles = 16 |
| RLIMIT_NOFILE cap. Default 16 (stdin/stdout/stderr plus headroom for any internal FDs glibc may open transiently). | |
| bool | chdirRoot = true |
| Change working directory to / so relative paths can't escape. | |
| bool | closeExtraFds = true |
| Close all inherited file descriptors above stderr (FD 2) before reading any untrusted input. | |
| bool | logSummaryToStderr = true |
| Emit a single-line summary of the applied profile to stderr. Useful for tests (which grep for the marker) and for debugging. | |
| bool | installSeccompFilter = true |
| Install a seccomp-bpf syscall allowlist (Linux only). Denied syscalls return -EACCES in the current "fail-open" mode; future hardening will switch to SECCOMP_RET_KILL_PROCESS. On non-Linux platforms this field is silently ignored. | |
Knobs for which hardening measures to apply. Defaults match the "strict production sandbox child" profile the design doc calls out. Tests and developer tools can relax individual measures — e.g., setting requireSandboxEnv = false makes the child runnable by hand under a debugger.
| std::size_t donner::editor::sandbox::HardeningOptions::addressSpaceBytes = 1024uLL * 1024uLL * 1024uLL |
RLIMIT_AS cap in bytes. 0 means "leave unset". Default 1 GiB — large enough for any real SVG the parser might touch, small enough that a runaway allocation is caught at the kernel boundary.
| bool donner::editor::sandbox::HardeningOptions::chdirRoot = true |
Change working directory to / so relative paths can't escape.
| bool donner::editor::sandbox::HardeningOptions::closeExtraFds = true |
Close all inherited file descriptors above stderr (FD 2) before reading any untrusted input.
| unsigned int donner::editor::sandbox::HardeningOptions::cpuSeconds = 30 |
RLIMIT_CPU cap in wall seconds. 0 = unset. Default 30 s.
| bool donner::editor::sandbox::HardeningOptions::installSeccompFilter = true |
Install a seccomp-bpf syscall allowlist (Linux only). Denied syscalls return -EACCES in the current "fail-open" mode; future hardening will switch to SECCOMP_RET_KILL_PROCESS. On non-Linux platforms this field is silently ignored.
| bool donner::editor::sandbox::HardeningOptions::logSummaryToStderr = true |
Emit a single-line summary of the applied profile to stderr. Useful for tests (which grep for the marker) and for debugging.
| std::size_t donner::editor::sandbox::HardeningOptions::maxFileBytes = 0 |
RLIMIT_FSIZE cap in bytes. 0 means "no file writes allowed" — pipe writes (stdout) are unaffected because pipes are not regular files.
| unsigned int donner::editor::sandbox::HardeningOptions::maxOpenFiles = 16 |
RLIMIT_NOFILE cap. Default 16 (stdin/stdout/stderr plus headroom for any internal FDs glibc may open transiently).
| bool donner::editor::sandbox::HardeningOptions::requireSandboxEnv = true |
Verify that DONNER_SANDBOX=1 is set in the environment. The child refuses to run otherwise. Set to false only for ad-hoc developer debugging — the SandboxHost always sets this in production.
1.15.0