nanos-unveil

1.1.0 • Public • Published

nanos-unveil

OpenBSD-style unveil syscall to restrict filesystem view on a Nanos unikernel

Usage

Access to the filesystem by a running process can be modified by calling the unveil function exported by this module, with the first argument (path) set to a filesystem path, and the second argument (permissions) set to a string containing zero or more of the following characters:

  • r: make path available for read operations
  • w: make path available for write operations
  • x: unused because a Nanos unikernel cannot execute arbitrary programs
  • c: allow path to be created and removed

The unveil function returns 0 on success, and a negative error number on failure. Error codes are available as module attributes:

  • errPerm: the process is attempting to increase permissions, i.e. the permissions string contains characters that were not present in a previous call to the unveil function with the given path
  • errNoent: a directory in path does not exist
  • errInval: permissions contains invalid characters

Example:

unveil = require('nanos-unveil');
unveil.unveil("/", "r");

For more information, see the relevant OpenBSD man page.

Readme

Keywords

Package Sidebar

Install

npm i nanos-unveil

Weekly Downloads

0

Version

1.1.0

License

MIT

Unpacked Size

2.08 kB

Total Files

3

Last publish

Collaborators

  • francescolavra