nanos-unveil/index.js

OpenBSD-style unveil syscall to restrict filesystem view on a Nanos unikernel

var ffi = require("ffi-napi");
var syscallLib = ffi.Library(null, {
    "syscall": ['long', ['long', 'string', 'string']]
});

exports.unveil = function(path, permissions) {
    const unveilSyscallNum = 336;
    var ret = syscallLib.syscall(unveilSyscallNum, path, permissions);
    if (ret == 0)
        return 0;
    else
        return -ffi.errno();
}

exports.errPerm = -1
exports.errNoent = -2
exports.errInval = -22