nanos-unveil

1.1.0 • Public • Published

nanos-unveil

OpenBSD-style unveil syscall to restrict filesystem view on a Nanos unikernel

Usage

Access to the filesystem by a running process can be modified by calling the unveil function exported by this module, with the first argument (path) set to a filesystem path, and the second argument (permissions) set to a string containing zero or more of the following characters:

  • r: make path available for read operations
  • w: make path available for write operations
  • x: unused because a Nanos unikernel cannot execute arbitrary programs
  • c: allow path to be created and removed

The unveil function returns 0 on success, and a negative error number on failure. Error codes are available as module attributes:

  • errPerm: the process is attempting to increase permissions, i.e. the permissions string contains characters that were not present in a previous call to the unveil function with the given path
  • errNoent: a directory in path does not exist
  • errInval: permissions contains invalid characters

Example:

unveil = require('nanos-unveil');
unveil.unveil("/", "r");

For more information, see the relevant OpenBSD man page.

/nanos-unveil/

    Package Sidebar

    Install

    npm i nanos-unveil

    Weekly Downloads

    1

    Version

    1.1.0

    License

    MIT

    Unpacked Size

    2.08 kB

    Total Files

    3

    Last publish

    Collaborators

    • francescolavra