Documentation
¶
Index ¶
- Constants
- Variables
- func ClearCurrentProgramState()
- func DoMain(regfn func(*env.ProgramState) error)
- func DoReexecInUnshare(cfg UnshareConfig)
- func GetScriptDirectory() string
- func IsUnshareChild() bool
- func SetCurrentProgramState(ps *env.ProgramState)
- func SetupUnshareFilesystem() error
- type UnshareConfig
Constants ¶
const Option_Do_Main bool = false
const Option_Embed_Main bool = false
Variables ¶
var ( // Seccomp options (Linux only) - using pure Go library SeccompProfile = flag.String("seccomp-profile", "", "Seccomp profile to use: strict, readonly") SeccompAction = flag.String("seccomp-action", "errno", "Action on restricted syscalls: errno, kill, trap, log") // Landlock options (Linux only) - using landlock-go library LandlockEnabled = flag.Bool("landlock", false, "Enable landlock filesystem access control") LandlockProfile = flag.String("landlock-profile", "readonly", "Landlock profile: readonly, readexec, custom") LandlockPaths = flag.String("landlock-paths", "", "Comma-separated list of paths to allow access to (for custom profile)") // HTTP options HttpPort = flag.String("http", "", "Start Rye in HTTP REPL mode on specified port (localhost only)") // Code signing options CodeSigEnforced = flag.Bool("codesig", false, "Enforce code signature verification") // Unshare options (Linux only) - namespace isolation via re-exec // Inspect/debugging options NoInspect = flag.Bool("noinspect", false, "Exit immediately on error without showing debugging options") )
var CurrentScriptDirectory string
CurrentScriptDirectory stores the directory of the currently executing script
var Rye_files embed.FS
var Version = "development"
Version variable is set during build using -ldflags eg in Goreleaser: https://goreleaser.com/cookbooks/using-main.version
Functions ¶
func ClearCurrentProgramState ¶ added in v0.0.88
func ClearCurrentProgramState()
ClearCurrentProgramState unregisters the program state
func DoMain ¶
func DoMain(regfn func(*env.ProgramState) error)
func DoReexecInUnshare ¶ added in v0.2.3
func DoReexecInUnshare(cfg UnshareConfig)
DoReexecInUnshare re-execs the current Rye binary with the requested Linux namespace clone flags. The parent process forwards stdin/stdout/stderr and waits for the child to exit, then exits with the child's exit code.
This must only be called from the parent (i.e. when IsUnshareChild() is false).
func GetScriptDirectory ¶ added in v0.0.81
func GetScriptDirectory() string
GetScriptDirectory returns the directory of the currently executing script
func IsUnshareChild ¶ added in v0.2.3
func IsUnshareChild() bool
IsUnshareChild reports whether the current process is the sandboxed child spawned by a parent Rye process.
func SetCurrentProgramState ¶ added in v0.0.88
func SetCurrentProgramState(ps *env.ProgramState)
SetCurrentProgramState registers the currently executing program state for signal handling
func SetupUnshareFilesystem ¶ added in v0.2.3
func SetupUnshareFilesystem() error
SetupUnshareFilesystem sets up the filesystem jail inside the child process. It:
- Locks the goroutine to its OS thread (required for mount namespace changes).
- Makes all existing mounts private so nothing leaks back to the host.
- Creates a tmpfs jail in /tmp/rye_jail_<pid>.
- Bind-mounts the current working directory (read-only) as /app inside the jail.
- Performs pivot_root so / becomes the jail.
- Chdir to /app so relative script paths continue to work.
- Unmounts the old root.
Must be called early in the child process before any interpreter state is set up.
Types ¶
type UnshareConfig ¶ added in v0.2.3
type UnshareConfig struct {
}
UnshareConfig holds the namespace isolation options collected from CLI flags or the security policy file.
func ReadUnshareChildConfig ¶ added in v0.2.3
func ReadUnshareChildConfig() UnshareConfig
ReadUnshareChildConfig returns the UnshareConfig that was passed to this child via environment variables. Only meaningful when IsUnshareChild() is true.
Source Files