podman_rest_client/v5/models/container_security_config.rs
1use serde::{Deserialize, Serialize};
2#[derive(Default, Debug, Serialize, Deserialize)]
3/// ContainerSecurityConfig is a container's security features, including
4/// SELinux, Apparmor, and Seccomp.
5pub struct ContainerSecurityConfig {
6 /// ApparmorProfile is the name of the Apparmor profile the container
7 /// will use.
8 /// Optional.
9 pub apparmor_profile: Option<String>,
10 /// CapAdd are capabilities which will be added to the container.
11 /// Conflicts with Privileged.
12 /// Optional.
13 pub cap_add: Option<Vec<String>>,
14 /// CapDrop are capabilities which will be removed from the container.
15 /// Conflicts with Privileged.
16 /// Optional.
17 pub cap_drop: Option<Vec<String>>,
18 /// Groups are a list of supplemental groups the container's user will
19 /// be granted access to.
20 /// Optional.
21 pub groups: Option<Vec<String>>,
22 pub idmappings: Option<crate::v5::models::IdMappingOptions>,
23 /// LabelNested indicates whether or not the container is allowed to
24 /// run fully nested containers including SELinux labelling.
25 /// Optional.
26 pub label_nested: Option<bool>,
27 /// Mask is the path we want to mask in the container. This masks the paths
28 /// given in addition to the default list.
29 /// Optional
30 pub mask: Option<Vec<String>>,
31 /// NoNewPrivileges is whether the container will set the no new
32 /// privileges flag on create, which disables gaining additional
33 /// privileges (e.g. via setuid) in the container.
34 /// Optional.
35 pub no_new_privileges: Option<bool>,
36 /// Privileged is whether the container is privileged.
37 /// Privileged does the following:
38 /// Adds all devices on the system to the container.
39 /// Adds all capabilities to the container.
40 /// Disables Seccomp, SELinux, and Apparmor confinement.
41 /// (Though SELinux can be manually re-enabled).
42 /// TODO: this conflicts with things.
43 /// TODO: this does more.
44 /// Optional.
45 pub privileged: Option<bool>,
46 /// ProcOpts are the options used for the proc mount.
47 pub procfs_opts: Option<Vec<String>>,
48 /// ReadOnlyFilesystem indicates that everything will be mounted
49 /// as read-only.
50 /// Optional.
51 pub read_only_filesystem: Option<bool>,
52 /// ReadWriteTmpfs indicates that when running with a ReadOnlyFilesystem
53 /// mount temporary file systems.
54 /// Optional.
55 pub read_write_tmpfs: Option<bool>,
56 /// SeccompPolicy determines which seccomp profile gets applied
57 /// the container. valid values: empty,default,image
58 pub seccomp_policy: Option<String>,
59 /// SeccompProfilePath is the path to a JSON file containing the
60 /// container's Seccomp profile.
61 /// If not specified, no Seccomp profile will be used.
62 /// Optional.
63 pub seccomp_profile_path: Option<String>,
64 /// SelinuxProcessLabel is the process label the container will use.
65 /// If SELinux is enabled and this is not specified, a label will be
66 /// automatically generated if not specified.
67 /// Optional.
68 pub selinux_opts: Option<Vec<String>>,
69 /// Umask is the umask the init process of the container will be run with.
70 pub umask: Option<String>,
71 /// Unmask a path in the container. Some paths are masked by default,
72 /// preventing them from being accessed within the container; this undoes
73 /// that masking. If ALL is passed, all paths will be unmasked.
74 /// Optional.
75 pub unmask: Option<Vec<String>>,
76 /// User is the user the container will be run as.
77 /// Can be given as a UID or a username; if a username, it will be
78 /// resolved within the container, using the container's /etc/passwd.
79 /// If unset, the container will be run as root.
80 /// Optional.
81 pub user: Option<String>,
82 pub userns: Option<crate::v5::models::Namespace>,
83}