fst

type Config struct {
	// reverse-DNS style arbitrary identifier string from config;
	// passed to wayland security-context-v1 as application ID
	// and used as part of defaults in dbus session proxy
	ID string `json:"id"`

	// absolute path to executable file
	Path string `json:"path,omitempty"`
	// final args passed to container init
	Args []string `json:"args"`

	// system services to make available in the container
	Enablements system.Enablement `json:"enablements"`

	// session D-Bus proxy configuration;
	// nil makes session bus proxy assume built-in defaults
	SessionBus *dbus.Config `json:"session_bus,omitempty"`
	// system D-Bus proxy configuration;
	// nil disables system bus proxy
	SystemBus *dbus.Config `json:"system_bus,omitempty"`
	// direct access to wayland socket; when this gets set no attempt is made to attach security-context-v1
	// and the bare socket is mounted to the sandbox
	DirectWayland bool `json:"direct_wayland,omitempty"`

	// passwd username in container, defaults to passwd name of target uid or chronos
	Username string `json:"username,omitempty"`
	// absolute path to shell, empty for host shell
	Shell string `json:"shell,omitempty"`
	// absolute path to home directory in the init mount namespace
	Data string `json:"data"`
	// directory to enter and use as home in the container mount namespace, empty for Data
	Dir string `json:"dir"`
	// extra acl ops, dispatches before container init
	ExtraPerms []*ExtraPermConfig `json:"extra_perms,omitempty"`

	// numerical application id, used for init user namespace credentials
	Identity int `json:"identity"`
	// list of supplementary groups inherited by container processes
	Groups []string `json:"groups"`

	// abstract container configuration baseline
	Container *ContainerConfig `json:"container"`
}

type ContainerConfig struct {
	// container hostname
	Hostname string `json:"hostname,omitempty"`

	// extra seccomp flags
	Seccomp seccomp.FilterOpts `json:"seccomp"`
	// allow ptrace and friends
	Devel bool `json:"devel,omitempty"`
	// allow userns creation in container
	Userns bool `json:"userns,omitempty"`
	// share host net namespace
	Net bool `json:"net,omitempty"`
	// allow dangerous terminal I/O
	Tty bool `json:"tty,omitempty"`
	// allow multiarch
	Multiarch bool `json:"multiarch,omitempty"`

	// initial process environment variables
	Env map[string]string `json:"env"`
	// map target user uid to privileged user uid in the user namespace
	MapRealUID bool `json:"map_real_uid"`

	// pass through all devices
	Device bool `json:"device,omitempty"`
	// container host filesystem bind mounts
	Filesystem []*FilesystemConfig `json:"filesystem"`
	// create symlinks inside container filesystem
	Link [][2]string `json:"symlink"`

	// read-only /etc directory
	Etc string `json:"etc,omitempty"`
	// automatically set up /etc symlinks
	AutoEtc bool `json:"auto_etc"`
	// cover these paths or create them if they do not already exist
	Cover []string `json:"cover"`
}

type ExtraPermConfig struct {
	Ensure  bool   `json:"ensure,omitempty"`
	Path    string `json:"path"`
	Read    bool   `json:"r,omitempty"`
	Write   bool   `json:"w,omitempty"`
	Execute bool   `json:"x,omitempty"`
}

type FilesystemConfig struct {
	// mount point in container, same as src if empty
	Dst string `json:"dst,omitempty"`
	// host filesystem path to make available to the container
	Src string `json:"src"`
	// do not mount filesystem read-only
	Write bool `json:"write,omitempty"`
	// do not disable device files
	Device bool `json:"dev,omitempty"`
	// fail if the bind mount cannot be established for any reason
	Must bool `json:"require,omitempty"`
}

type Info struct {
	User int `json:"user"`
}