Reusable process sandbox options for systemd-backed runtimes.
Summary
Types
@type address_family() :: :inet | :inet6 | :unix | String.t()
@type protect_system() :: :full | :strict | boolean() | nil
@type t() :: %HostKit.Runtime.Sandbox{ inaccessible_paths: [String.t()], lock_personality: boolean() | nil, no_new_privileges: boolean() | nil, private_devices: boolean() | nil, private_network: boolean() | nil, private_tmp: boolean() | nil, protect_clock: boolean() | nil, protect_control_groups: boolean() | nil, protect_home: boolean() | String.t() | nil, protect_hostname: boolean() | nil, protect_kernel_logs: boolean() | nil, protect_kernel_modules: boolean() | nil, protect_kernel_tunables: boolean() | nil, protect_system: protect_system(), read_only_paths: [String.t()], read_write_paths: [String.t()], remove_ipc: boolean() | nil, restrict_address_families: [address_family()] | String.t() | nil, restrict_realtime: boolean() | nil, restrict_suid_sgid: boolean() | nil, system_call_architectures: atom() | String.t() | nil }