config

Module: config

Contents

Structs

• CapabilityLeaseConfig - Capability lease refresh settings.
• CommandMediatorConfig - Runtime command mediation settings for governed local execution.
• ExecutableLaunchPolicy - Per-executable CLI argument policy injected by firma run.
• MountSpec - Mount entry passed to sandbox backends.
• NetworkPolicy - Network policy toggles used by backend implementations.
• ResolvedProfile - Resolved runtime profile after combining built-in defaults, optional file
• SeccompPolicyConfig - Seccomp policy compilation settings for Linux bwrap backend.

Enums

• CapabilitySource - Source for capability material.
• CommandMediatorEndpoint
• CommandMediatorHitlMode
• SandboxIdentityMode - Identity mode used inside sandboxed execution.
• SeccompRuntimeMode - Runtime behavior for managed seccomp artifact selection.
• SidecarEndpoint - Sidecar endpoint form used by the wrapper.

Functions

• resolve_profile - Resolve profile configuration for a run invocation.

---

firma_run::config::CapabilityLeaseConfig

Struct

Capability lease refresh settings.

Fields:

• source: CapabilitySource
• refresh_ratio: f64
• grace_seconds: u64

Trait Implementations:

• Clone
  • fn clone(self: &Self) -> CapabilityLeaseConfig
• PartialEq
  • fn eq(self: &Self, other: &CapabilityLeaseConfig) -> bool
• Debug
  • fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result
• Serialize
  • fn serialize<__S>(self: &Self, __serializer: __S) -> _serde::__private228::Result<<__S as >::Ok, <__S as >::Error>

firma_run::config::CapabilitySource

Enum

Source for capability material.

Variants:

• Disabled
• File{ path: std::path::PathBuf }

Traits: Eq

Trait Implementations:

• Serialize
  • fn serialize<__S>(self: &Self, __serializer: __S) -> _serde::__private228::Result<<__S as >::Ok, <__S as >::Error>
• Debug
  • fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result
• Clone
  • fn clone(self: &Self) -> CapabilitySource
• PartialEq
  • fn eq(self: &Self, other: &CapabilitySource) -> bool

firma_run::config::CommandMediatorConfig

Struct

Runtime command mediation settings for governed local execution.

Fields:

• endpoint: CommandMediatorEndpoint
• timeout_ms: u64
• hitl_mode: CommandMediatorHitlMode
• hitl_max_wait_ms: u64 - Maximum total wall-clock time firma-run will block waiting for a
• enforce_known_executables: bool
• allowed_executables: std::collections::BTreeSet<String>

Traits: Eq

Trait Implementations:

• Clone
  • fn clone(self: &Self) -> CommandMediatorConfig
• PartialEq
  • fn eq(self: &Self, other: &CommandMediatorConfig) -> bool
• Serialize
  • fn serialize<__S>(self: &Self, __serializer: __S) -> _serde::__private228::Result<<__S as >::Ok, <__S as >::Error>
• Debug
  • fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result

firma_run::config::CommandMediatorEndpoint

Enum

Variants:

• Tcp{ addr: std::net::SocketAddr }
• Unix{ path: std::path::PathBuf }

Traits: Eq

Trait Implementations:

• Clone
  • fn clone(self: &Self) -> CommandMediatorEndpoint
• PartialEq
  • fn eq(self: &Self, other: &CommandMediatorEndpoint) -> bool
• Serialize
  • fn serialize<__S>(self: &Self, __serializer: __S) -> _serde::__private228::Result<<__S as >::Ok, <__S as >::Error>
• Debug
  • fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result

firma_run::config::CommandMediatorHitlMode

Enum

Variants:

• SyncWait
• AsyncToken

Traits: Eq, Copy

Trait Implementations:

• Clone
  • fn clone(self: &Self) -> CommandMediatorHitlMode
• Serialize
  • fn serialize<__S>(self: &Self, __serializer: __S) -> _serde::__private228::Result<<__S as >::Ok, <__S as >::Error>
• Debug
  • fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result
• Deserialize
  • fn deserialize<__D>(__deserializer: __D) -> _serde::__private228::Result<Self, <__D as >::Error>
• PartialEq
  • fn eq(self: &Self, other: &CommandMediatorHitlMode) -> bool

firma_run::config::ExecutableLaunchPolicy

Struct

Per-executable CLI argument policy injected by firma run.

Fields:

• enforce_wrapper_defaults: bool
• sandbox_mode: Option<String>
• approval_policy: Option<String>
• config_overrides: std::collections::BTreeMap<String, String>

Traits: Eq

Trait Implementations:

• Serialize
  • fn serialize<__S>(self: &Self, __serializer: __S) -> _serde::__private228::Result<<__S as >::Ok, <__S as >::Error>
• Debug
  • fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result
• Clone
  • fn clone(self: &Self) -> ExecutableLaunchPolicy
• PartialEq
  • fn eq(self: &Self, other: &ExecutableLaunchPolicy) -> bool

firma_run::config::MountSpec

Struct

Mount entry passed to sandbox backends.

Fields:

• source: std::path::PathBuf
• target: std::path::PathBuf
• read_only: bool

Traits: Eq

Trait Implementations:

• Serialize
  • fn serialize<__S>(self: &Self, __serializer: __S) -> _serde::__private228::Result<<__S as >::Ok, <__S as >::Error>
• Debug
  • fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result
• Clone
  • fn clone(self: &Self) -> MountSpec
• PartialEq
  • fn eq(self: &Self, other: &MountSpec) -> bool

firma_run::config::NetworkPolicy

Struct

Network policy toggles used by backend implementations.

Fields:

• enforce_network_namespace: bool
• fail_closed: bool

Traits: Eq

Trait Implementations:

• Clone
  • fn clone(self: &Self) -> NetworkPolicy
• PartialEq
  • fn eq(self: &Self, other: &NetworkPolicy) -> bool
• Serialize
  • fn serialize<__S>(self: &Self, __serializer: __S) -> _serde::__private228::Result<<__S as >::Ok, <__S as >::Error>
• Debug
  • fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result

firma_run::config::ResolvedProfile

Struct

Resolved runtime profile after combining built-in defaults, optional file config, and CLI overrides.

Fields:

• id: String
• backend: crate::backend::BackendKind
• sidecar_endpoint: SidecarEndpoint
• sidecar_selection: crate::sidecar::SidecarSelection
• env_passthrough: std::collections::BTreeSet<String>
• env_set: std::collections::BTreeMap<String, String>
• mounts: Vec<MountSpec>
• seccomp_policy: Option<SeccompPolicyConfig>
• allowed_domains: Vec<String>
• network: NetworkPolicy
• identity_mode: SandboxIdentityMode
• capability: CapabilityLeaseConfig
• sidecar_local_exec: Option<CommandMediatorConfig>
• executable_policies: std::collections::BTreeMap<String, ExecutableLaunchPolicy>
• use_http_proxy_sidecar: bool - When true, the autostarted sidecar is configured in HTTP proxy

Methods:

• fn validate(self: &Self) -> Result<(), RunError> - Validate resolved values before execution starts.

Trait Implementations:

• Clone
  • fn clone(self: &Self) -> ResolvedProfile
• PartialEq
  • fn eq(self: &Self, other: &ResolvedProfile) -> bool
• Debug
  • fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result
• Serialize
  • fn serialize<__S>(self: &Self, __serializer: __S) -> _serde::__private228::Result<<__S as >::Ok, <__S as >::Error>

firma_run::config::SandboxIdentityMode

Enum

Identity mode used inside sandboxed execution.

Variants:

• SandboxUser
• HostUser

Traits: Eq, Copy

Trait Implementations:

• PartialEq
  • fn eq(self: &Self, other: &SandboxIdentityMode) -> bool
• Clone
  • fn clone(self: &Self) -> SandboxIdentityMode
• Serialize
  • fn serialize<__S>(self: &Self, __serializer: __S) -> _serde::__private228::Result<<__S as >::Ok, <__S as >::Error>
• Debug
  • fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result
• Deserialize
  • fn deserialize<__D>(__deserializer: __D) -> _serde::__private228::Result<Self, <__D as >::Error>

firma_run::config::SeccompPolicyConfig

Struct

Seccomp policy compilation settings for Linux bwrap backend.

Fields:

• source_policy_path: std::path::PathBuf
• artifact_dir: std::path::PathBuf
• verify_checksum: bool
• runtime_mode: SeccompRuntimeMode

Traits: Eq

Trait Implementations:

• Clone
  • fn clone(self: &Self) -> SeccompPolicyConfig
• PartialEq
  • fn eq(self: &Self, other: &SeccompPolicyConfig) -> bool
• Serialize
  • fn serialize<__S>(self: &Self, __serializer: __S) -> _serde::__private228::Result<<__S as >::Ok, <__S as >::Error>
• Debug
  • fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result

firma_run::config::SeccompRuntimeMode

Enum

Runtime behavior for managed seccomp artifact selection.

Variants:

• CompileOnLaunch - Compile/update managed seccomp artifacts during launch and then load.
• PrecompiledOnly - Require a precompiled managed seccomp artifact; do not compile at launch.

Traits: Eq, Copy

Trait Implementations:

• Serialize
  • fn serialize<__S>(self: &Self, __serializer: __S) -> _serde::__private228::Result<<__S as >::Ok, <__S as >::Error>
• Debug
  • fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result
• Deserialize
  • fn deserialize<__D>(__deserializer: __D) -> _serde::__private228::Result<Self, <__D as >::Error>
• PartialEq
  • fn eq(self: &Self, other: &SeccompRuntimeMode) -> bool
• Clone
  • fn clone(self: &Self) -> SeccompRuntimeMode

firma_run::config::SidecarEndpoint

Enum

Sidecar endpoint form used by the wrapper.

Variants:

• Tcp{ addr: std::net::SocketAddr }
• Unix{ path: std::path::PathBuf }

Methods:

• fn proxy_url(self: &Self) -> Option<String> - Returns the HTTP proxy URL when represented as TCP endpoint.

Traits: Eq

Trait Implementations:

• Clone
  • fn clone(self: &Self) -> SidecarEndpoint
• PartialEq
  • fn eq(self: &Self, other: &SidecarEndpoint) -> bool
• FromStr
  • fn from_str(value: &str) -> Result<Self, <Self as >::Err>
• Serialize
  • fn serialize<__S>(self: &Self, __serializer: __S) -> _serde::__private228::Result<<__S as >::Ok, <__S as >::Error>
• Debug
  • fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result

firma_run::config::resolve_profile

Function

Resolve profile configuration for a run invocation.

Errors

Returns an error when profile resolution fails due to invalid inputs, parse errors, or resulting validation failures.

fn resolve_profile(args: &crate::runtime::RunInput) -> Result<ResolvedProfile, crate::error::RunError>