Module jail::helpers

Structs

• SandboxConfig
  Config for the sandbox to be created by [Minijail].
• ScopedMinijail
  Wrapper that cleans up a [Minijail] when it is dropped

Enums

• RunAsUser
  The user in the jail to run as.

Constants

• MAX_OPEN_FILES_DEFAULT
  Most devices don’t need to open many fds.
• MAX_OPEN_FILES_FOR_GPU 🔒
  The max open files for gpu processes.
• MAX_OPEN_FILES_FOR_JAIL_WARDEN
  The max open files for jail warden, matching FD_RAW_FAILURE.

Statics

• EMBEDDED_BPFS 🔒

Functions

• add_current_user_to_jail 🔒
  Set the uid/gid for the jailed process and give a basic id map. This is required for bind mounts to work.
• create_base_minijail
  Creates a [Minijail] instance which just changes the root using pivot_root(2) path and max_open_files using RLIMIT_NOFILE.
• create_gpu_minijail
  Creates [Minijail] for gpu processes.
• create_sandbox_minijail
  Creates a [Minijail] instance which creates a sandbox.
• jail_mount_bind_drm
  Selectively bind mount drm nodes into jail based on render_node_only
• jail_mount_bind_if_exists
  Mirror-mount all the directories in dirs into jail on a best-effort basis.
• mount_proc
  Mount proc in the sandbox.
• simple_jail
  Creates a basic [Minijail] if jail_config is present.