-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsargon.schema
99 lines (85 loc) · 3.72 KB
/
sargon.schema
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
# depends upon:
# nis.schema
# Root (1.3.6.1.4.1.9163.3)
# 2.1 - sargonACL -- ACL object
# 1.1 - sargonUser -- User who can run docker
# 1.2 - sargonHost -- Host or hostgroup that can run docker
# 1.3 - sargonAllow -- Allowed action
# 1.4 - sargonDeny -- Denied action
# 1.5 - sargonOrder -- An integer to order sargonACL entries
# 1.6 - sargonMount -- Host FS directories that are allowed to be mounted
# 1.7 - sargonAllowPrivileged
# -- Whether it is allowed to create privileged containers
# 1.8 - sargonMaxMemory
# -- Limit on memory usage
# 1.9 - sargonMaxKernelMemory
# -- Limit on kernel memory usage
# 1.10 - sargonAllowCapability
# -- Name of the linux capability that can be added
# 1.11 - sargonNotBefore
# -- Start of time interval for which the entry is valid
# 1.12 - sargonNotAfter
# -- End of time interval for which the entry is valid
attributeType ( 1.3.6.1.4.1.9163.3.1.1 NAME 'sargonUser'
DESC 'User who can run docker'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributeType ( 1.3.6.1.4.1.9163.3.1.2 NAME 'sargonHost'
DESC 'Host that can run docker'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributeType ( 1.3.6.1.4.1.9163.3.1.3 NAME 'sargonAllow'
DESC 'Docker action that is allowed to be taken'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributeType ( 1.3.6.1.4.1.9163.3.1.4 NAME 'sargonDeny'
DESC 'Docker action that is not allowed to be taken'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributeType ( 1.3.6.1.4.1.9163.3.1.5 NAME 'sargonOrder'
DESC 'integer to order the sargonACL entries'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
attributeType ( 1.3.6.1.4.1.9163.3.1.6 NAME 'sargonMount'
DESC 'Host FS directories that are allowed to be mounted'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributeType ( 1.3.6.1.4.1.9163.3.1.7 NAME 'sargonAllowPrivileged'
DESC 'Whether it is allowed to create privileged containers'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
attributeType ( 1.3.6.1.4.1.9163.3.1.8 NAME 'sargonMaxMemory'
DESC 'Limit on the memory value'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributeType ( 1.3.6.1.4.1.9163.3.1.9 NAME 'sargonMaxKernelMemory'
DESC 'Limit on the kernel memory value'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributeType ( 1.3.6.1.4.1.9163.3.1.10 NAME 'sargonAllowCapability'
DESC 'Name of the linux capability that can be added'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributeType ( 1.3.6.1.4.1.9163.3.1.11 NAME 'sargonNotBefore'
DESC 'Start of time interval for which the entry is valid'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
attributeType ( 1.3.6.1.4.1.9163.3.1.12 NAME 'sargonNotAfter'
DESC 'End of time interval for which the entry is valid'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )
objectClass ( 1.3.6.1.4.1.9163.3.2.1 NAME 'sargonACL'
SUP top
STRUCTURAL
DESC 'Sargon Access Control List Entry'
MUST ( cn )
MAY ( sargonUser $ sargonHost $ sargonAllow $ sargonDeny $
sargonOrder $ sargonMount $ sargonAllowPrivileged $
sargonMaxMemory $ sargonMaxKernelMemory $ sargonAllowCapability $
sargonNotBefore $ sargonNotAfter $
description ) )