Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Merge Semantics

This file is auto-generated by can-docgen. Do not edit manually.

When multiple recipes are composed, each field follows a specific merge strategy.

Composition Order

base.toml (always loaded first)
  → auto-detected recipes (match_prefix against command binary)
  → explicit --recipe args (left to right)
  → manifest overrides (for `can up`)
  = final SandboxConfig

Field Merge Strategies

FieldTypeStrategyDescription
recipeRecipeMetaOverlayLater recipe’s metadata wins if present
strictOption<bool>ORAny Some(true) wins — can never be loosened
filesystem.allowVec<PathBuf>UnionDeduplicated, preserving first-occurrence order
filesystem.allow_writeVec<PathBuf>UnionDeduplicated, preserving first-occurrence order
filesystem.denyVec<PathBuf>UnionDeduplicated, preserving first-occurrence order
filesystem.maskVec<PathBuf>UnionDeduplicated, preserving first-occurrence order
host (top-level [[host]] blocks)Vec<HostBlock>Union by domainSame domain → field-merged via HostBlock::merge; distinct domains preserved
network.allow_ipsVec<String>UnionDeduplicated, preserving first-occurrence order
network.egressOption<EgressMode>Last-Some-winsNone preserves earlier value; Some(x) overwrites
network.portsVec<PortMapping>UnionDeduplicated, preserving first-occurrence order
process.max_pidsOption<u32>Last-Some-winsNone preserves earlier value; Some(x) overwrites
process.allow_execveVec<PathBuf>UnionDeduplicated, preserving first-occurrence order
process.env_passthroughVec<String>UnionDeduplicated, preserving first-occurrence order
resources.memory_mbOption<u64>Last-Some-winsNone preserves earlier value; Some(x) overwrites
resources.cpu_percentOption<u32>Last-Some-winsNone preserves earlier value; Some(x) overwrites
syscalls.seccomp_modeOption<SeccompMode>Last-Some-winsNone preserves earlier value; Some(x) overwrites
syscalls.notifierOption<bool>Last-Some-winsNone preserves earlier value; Some(x) overwrites
syscalls.allowVec<String>UnionAbsolute allow list (baseline only)
syscalls.denyVec<String>UnionAbsolute deny list (baseline only)
syscalls.allow_extraVec<String>UnionDeduplicated, preserving first-occurrence order
syscalls.deny_extraVec<String>UnionDeduplicated, preserving first-occurrence order

Strategy Definitions

  • Union: Both base and overlay values are combined into a single list, deduplicated by value, preserving first-occurrence order.
  • OR: Any Some(true) wins permanently. Once strict mode is enabled by any recipe in the chain, it cannot be disabled.
  • Last-Some-wins: The last recipe that specifies a value (Some(x)) wins. None (field omitted) preserves the earlier value.
  • Overlay: The later recipe’s value replaces the earlier one entirely if present.