filed
Job queue using FUSE
git clone git://mccd.space/filed
| Log | Files | Refs | README | LICENSE |
commit 5734599957c57becdecf47780893d98e2da3ced1 parent 68a5a76c61a06226febaa9e5d15953863983f191 Author: Marc Coquand <marc@coquand.email> Date: Fri, 19 Dec 2025 13:00:19 +0100 Docs Diffstat:
| M | README.md | | | 1 | + |
| M | filed.5.scd | | | 12 | ++++++------ |
2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md @@ -95,6 +95,7 @@ I was inspired by 9p, and files proved to be a great abstraction since directori - [x] "Landlock"-mode for sandboxing - [x] Add filed-launch - a script that can be used to restrict command access - [x] Add command arguments to filed to lock it down, but still allow it access to state files, and remove that access in filed-launch +- [ ] Support network restrictions - [ ] A reusable systemd unit file - [ ] Notification on failure. Unfortunately [inotify does not work with fuse], which would have been elegant otherwise. - [ ] Notify forget and other updates. diff --git a/filed.5.scd b/filed.5.scd @@ -15,10 +15,10 @@ job queue that operates on files. It mounts a directory _mdir_, which is where the user can add and inspect jobs. All jobs are executed with *filed-launch*(1), allowing you to restrict job -accesses. If an _option_ is supplied, filed will launch with *landlock*(7) -sandbox, restrict itself to only the necessary directories and files to access -fuse, processes, database, *filed-launch*(1) along with the supplied _option_s. -Jobs thereafter will have their access further droppet to only access _option_s. +accesses. If one or more _option_s are supplied, filed will launch with +*landlock*(7) sandbox, restrict itself to only the necessary directories and +files for operations along with the supplied _option_s. Jobs thereafter will +have their access further dropped to only access _option_s. If no _option_ is supplied, *filed* will launch with access unrestricted. @@ -82,7 +82,7 @@ principle of least access. Importantly, the system is intended for only trusted scripts: the job user has access to the state, and is thus able to rewrite access rights. It is -recommended to either use _option_s to restrict access, or alternatively +recommended to either use options to restrict access, or alternatively *bwrap*(1) or similar tools to drop further privileges. Another aspect to be aware of is that File d'attente stores logs of all jobs. @@ -125,7 +125,7 @@ cat /var/filed/active/myjob # SEE ALSO *filed.config*(5) *filed-launch*(1) *landlock*(7) - + - Periodic jobs can be set up using *cron*(8). - Monitoring failures can be done with *watch*(1)