to navigate
    to select
    esc to close
    reaction

    Plugin

    A plugin permits to extend reaction by defining new Stream types and Action types.

    All options are listed here. See the Plugin page for the rationale, high-level overview and plugin list.

    path

    Required. The path to the plugin's executable.

    {
  plugins: {
    myplugin: {
      path: '/path/to/my/plugin',
    },
  },
}
    plugins:
  myplugin:
    path: /path/to/my/plugin

    check_root

    Whether reaction must check that the executable is owned by root.

    Defaults to true. It's recommended to leave it that way.

    {
  plugins: {
    myplugin: {
      path: '/path/to/my/plugin',
      check_root: true,
    },
  },
}
    plugins:
  myplugin:
    path: /path/to/my/plugin
    check_root: true

    systemd

    Whether reaction must isolate the plugin using systemd.

    Requires systemd's run0, available since v256.

    {
  plugins: {
    myplugin: {
      path: '/path/to/my/plugin',
      systemd: false,
    },
  },
}
    plugins:
  myplugin:
    path: /path/to/my/plugin
    systemd: false

    Defaults to true. Will be set to false when reaction does not run as root.

    run0 seems buggy on certain systems. If sudo run0 ls / doesn't print anything, your run0 installation isn't functional, and you should set this option to false.

    systemd_options

    A key-value map of systemd options.

    Keys must be strings and values must be string arrays.

    See man systemd.directives for all supported options, and particularly options in man systemd.exec.

    reaction provides a default list of containerization and security options.

    Each key can be overriden here, most commonly to relax too restrictive permissions.

    Each plugin should document what options are necessary for the plugin to run correctly.

    Notable systemd options
    • ReadOnlyPaths: Set to ["/"]. Should not be overriden in most cases.
    • ReadWritePaths: Set to the plugin working directory. Don't hesitate to extend this list if the plugin has to mutate other files.
    • CapabilityBoundingSet: Set to the empty list, which mean no admin capability is set.
      • See man 7 capabilities for the explanations.
      • You must invert capabilities to add them to the list. Example: ["~CAP_NET_ADMIN"] adds this capability to the list.
      • Full list: CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE CAP_BLOCK_SUSPEND CAP_BPF CAP_CHECKPOINT_RESTORE CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_FSETID CAP_IPC_LOCK CAP_IPC_OWNER CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_MKNOD CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_PERFMON CAP_SETFCAP CAP_SETGID CAP_SETPCAP CAP_SETUID CAP_SYSLOG CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_NICE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_RESOURCE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM

    Example:

    {
  plugins: {
    myplugin: {
      path: '/path/to/my/plugin',
      systemd_options: {
        DynamicUser: ["false"],
        User: ["reaction-plugin"],
      }
    },
  },
}
    plugins:
  myplugin:
    path: /path/to/my/plugin
    systemd_options:
      DynamicUser: ["false"]
      User: ["reaction-plugin"]
    Edit this page