// Enables seccomp inside the sandbox.

OCISeccomp bool `flag:"oci-seccomp"`

// TestOnlyAllowRunAsCurrentUserWithoutChroot should only be used in

// tests. It allows runsc to start the sandbox process as the current

// user, and without chrooting the sandbox process. This can be

flag.Bool("fsgofer-host-uds", false, "allow the gofer to mount Unix Domain Sockets.")

flag.Bool("vfs2", false, "enables VFSv2. This uses the new VFS layer that is faster than the previous one.")

flag.Bool("fuse", false, "TEST ONLY; use while FUSE in VFSv2 is landing. This allows the use of the new experimental FUSE filesystem.")

// Flags that control sandbox runtime behavior: network related.

flag.Var(networkTypePtr(NetworkSandbox), "network", "specifies which network to use: sandbox (default), host, none. Using network inside the sandbox is more secure because it's isolated from the host network.")