UNPKG

nanos-unveil

Version:

OpenBSD-style unveil syscall to restrict filesystem view on a Nanos unikernel

26 lines (18 loc) 1.23 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# nanos-unveil OpenBSD-style unveil syscall to restrict filesystem view on a Nanos unikernel ## Usage Access to the filesystem by a running process can be modified by calling the `unveil` function exported by this module, with the first argument (`path`) set to a filesystem path, and the second argument (`permissions`) set to a string containing zero or more of the following characters: - `r`: make `path` available for read operations - `w`: make `path` available for write operations - `x`: unused because a Nanos unikernel cannot execute arbitrary programs - `c`: allow `path` to be created and removed The unveil function returns 0 on success, and a negative error number on failure. Error codes are available as module attributes: - `errPerm`: the process is attempting to increase permissions, i.e. the `permissions` string contains characters that were not present in a previous call to the `unveil` function with the given `path` - `errNoent`: a directory in `path` does not exist - `errInval`: `permissions` contains invalid characters Example: ```js unveil = require('nanos-unveil'); unveil.unveil("/", "r"); ``` For more information, see the relevant [OpenBSD man page](https://man.openbsd.org/unveil.2).