On Linux hosts, crosvm uses minijail to sandbox the child devices. The minijail C library is utilized via a Rust wrapper so as not to repeat the intricate sequence of syscalls used to make a secure isolated child process.

The exact configuration of the sandbox varies by device, but they are mostly alike. See create_base_minijail from jail/src/ The set of security constraints explicitly used in crosvm are:

  • PID Namespace
    • Runs as init
  • Deny setgroups
  • Optional limit the capabilities mask to 0
  • User namespace
    • Optional uid/gid mapping
  • Mount namespace
    • Optional pivot into a new root
  • Network namespace
  • seccomp with optional log failure mode
  • Limit to number of file descriptors