Path: blob/master/website/content/en/docs/examples/containers/containerd/advanced/gomodjail.md
2649 views
------gomodjail is an experimental library sandbox for Go modules.
gomodjail imposes syscall restrictions on a specific set of Go modules, so as to mitigate their potential vulnerabilities and supply chain attack vectors. A restricted module is hindered to access files and execute commands.
gomodjail can be enabled for nerdctl by using the nerdctl.gomodjail binary.
For the gomodjail policy applied to nerdctl.gomodjail, see https://github.com/containerd/nerdctl/blob/main/go.mod.