1 files changed, 157 insertions, 0 deletions
diff --git a/src/runner/runc/spec.rs b/src/runner/runc/spec.rs
new file mode 100644
index 0000000..c549399
--- /dev/null
+++ b/src/runner/runc/spec.rs
@@ -0,0 +1,157 @@
+use oci_spec::runtime;
+use serde::Deserialize;
+use serde_json::json;
+
+use crate::unshare;
+
+pub fn generate_spec(run: &str) -> runtime::Spec {
+	runtime::Spec::deserialize(json!({
+		"ociVersion": "1.0.2",
+		"process": {
+			"terminal": false,
+			"user": {
+				"uid": unshare::BUILD_UID,
+				"gid": unshare::BUILD_GID
+			},
+			"args": [
+				"sh",
+				"-c",
+				run
+			],
+			"env": [
+				"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+				"TERM=xterm"
+			],
+			"cwd": "/rebel",
+			"noNewPrivileges": true
+		},
+		"root": {
+			"path": "../rootfs",
+			"readonly": true
+		},
+		"hostname": "rebel-builder",
+		"mounts": [
+			{
+				"destination": "/proc",
+				"type": "proc",
+				"source": "proc"
+			},
+			{
+				"destination": "/dev",
+				"type": "tmpfs",
+				"source": "tmpfs",
+				"options": [
+					"nosuid",
+					"strictatime",
+					"mode=755",
+					"size=65536k"
+				]
+			},
+			{
+				"destination": "/dev/pts",
+				"type": "devpts",
+				"source": "devpts",
+				"options": [
+					"nosuid",
+					"noexec",
+					"newinstance",
+					"ptmxmode=0666",
+					"mode=0620",
+					"gid=5"
+				]
+			},
+			{
+				"destination": "/dev/shm",
+				"type": "tmpfs",
+				"source": "shm",
+				"options": [
+					"nosuid",
+					"noexec",
+					"nodev",
+					"mode=1777",
+					"size=65536k"
+				]
+			},
+			{
+				"destination": "/dev/mqueue",
+				"type": "mqueue",
+				"source": "mqueue",
+				"options": [
+					"nosuid",
+					"noexec",
+					"nodev"
+				]
+			},
+			{
+				"destination": "/sys",
+				"type": "sysfs",
+				"source": "sysfs",
+				"options": [
+					"nosuid",
+					"noexec",
+					"nodev",
+					"ro"
+				]
+			},
+			{
+				"destination": "/sys/fs/cgroup",
+				"type": "cgroup",
+				"source": "cgroup",
+				"options": [
+					"nosuid",
+					"noexec",
+					"nodev",
+					"relatime",
+					"ro"
+				]
+			}
+		],
+		"linux": {
+			"resources": {
+				"devices": [
+					{
+						"allow": false,
+						"access": "rwm"
+					}
+				]
+			},
+			"namespaces": [
+				{
+					"type": "pid"
+				},
+				{
+					"type": "network"
+				},
+				{
+					"type": "ipc"
+				},
+				{
+					"type": "uts"
+				},
+				{
+					"type": "mount"
+				}
+			],
+			"maskedPaths": [
+				"/proc/acpi",
+				"/proc/asound",
+				"/proc/kcore",
+				"/proc/keys",
+				"/proc/latency_stats",
+				"/proc/timer_list",
+				"/proc/timer_stats",
+				"/proc/sched_debug",
+				"/sys/firmware",
+				"/proc/scsi"
+			],
+			"readonlyPaths": [
+				"/proc/bus",
+				"/proc/fs",
+				"/proc/irq",
+				"/proc/sys",
+				"/proc/sysrq-trigger"
+			]
+		}
+	}))
+	.unwrap()
+}