Shellbox
Library and server for containerized shell execution
Loading...
Searching...
No Matches
Shellbox\Command\BashWrapper Class Reference

A ulimit/cgroup wrapper implemented as a bash script. More...

+ Inheritance diagram for Shellbox\Command\BashWrapper:

Public Member Functions

 __construct ( $cgroup=false)
 
 wrap (Command $command)
 Modify the command passed as a parameter.
 
 getPriority ()
 Get an integer priority level used to determine the order in which to run multiple wrappers.
 
- Public Member Functions inherited from Shellbox\Command\Wrapper
 setLogger (LoggerInterface $logger)
 Set the logger.
 

Public Attributes

const PRIORITY = 60
 Needs to be outside of firejail so that it can set up a cgroup.
 

Additional Inherited Members

- Protected Attributes inherited from Shellbox\Command\Wrapper
 $logger
 

Detailed Description

A ulimit/cgroup wrapper implemented as a bash script.

Constructor & Destructor Documentation

◆ __construct()

Shellbox\Command\BashWrapper::__construct ( $cgroup = false)
Parameters
string | false$cgroupUnder Linux: a cgroup directory used to constrain memory usage of shell commands. The directory must be writable by the web server. If this is false, no memory limit will be applied.

Member Function Documentation

◆ getPriority()

Shellbox\Command\BashWrapper::getPriority ( )

Get an integer priority level used to determine the order in which to run multiple wrappers.

Low numbers are innermost, high numbers are outermost, run last.

If you nest sandboxes, it makes sense to have the most privileged hypervisor/wrapper at the outside, and the least privileged on the inside. Suggested values:

  • 20: ulimit
  • 40: chroot
  • 60: system-level container
  • 80: initial shell
Returns
int

Reimplemented from Shellbox\Command\Wrapper.

◆ wrap()

Shellbox\Command\BashWrapper::wrap ( Command $command)

Modify the command passed as a parameter.

Parameters
Command$command

Reimplemented from Shellbox\Command\Wrapper.

Member Data Documentation

◆ PRIORITY

const Shellbox\Command\BashWrapper::PRIORITY = 60

Needs to be outside of firejail so that it can set up a cgroup.

Also, firejail may disable syscalls, breaking the bash wrapper.


The documentation for this class was generated from the following file: