Function jail::helpers::create_base_minijail_without_pivot_root

pub fn create_base_minijail_without_pivot_root(
    root: &Path,
    max_open_files: u64
) -> Result<Minijail>

Creates a [Minijail] instance which just invokes a jail process and sets max_open_files using RLIMIT_NOFILE. This is helpful with crosvm process runs as a non-root user without SYS_ADMIN capabilities.

Unlike create_base_minijail, this function doesn’t call pivot_root and mount namespace. So, it runs as a non-root user without SYS_ADMIN capabilities.

Note that since there is no file system isolation provided by this function, caller of this function should enforce other security mechanisum such as selinux on the host to protect directories.

Arguments

• root - The root path to checked before the process is jailed
• max_open_files - The maximum number of file descriptors to allow a jailed process to open.