Crate jail

Re-exports

• pub use crate::fork::fork_process;

Modules

• config 🔒
• fork
  Provides fork_process to fork a process.
• helpers 🔒

Structs

• JailConfig
• SandboxConfig
  Config for the sandbox to be created by [Minijail].
• ScopedMinijail
  Wrapper that cleans up a [Minijail] when it is dropped

Enums

• RunAsUser
  The user in the jail to run as.

Constants

• MAX_OPEN_FILES_DEFAULT
  Most devices don’t need to open many fds.
• MAX_OPEN_FILES_FOR_JAIL_WARDEN
  The max open files for jail warden, matching FD_RAW_FAILURE.

Functions

• create_base_minijail
  Creates a [Minijail] instance which just changes the root using pivot_root(2) path and max_open_files using RLIMIT_NOFILE.
• create_base_minijail_without_pivot_root
  Creates a [Minijail] instance which just invokes a jail process and sets max_open_files using RLIMIT_NOFILE. This is helpful with crosvm process runs as a non-root user without SYS_ADMIN capabilities.
• create_gpu_minijail
  Creates [Minijail] for gpu processes.
• create_sandbox_minijail
  Creates a [Minijail] instance which creates a sandbox.
• jail_mount_bind_drm
  Selectively bind mount drm nodes into jail based on render_node_only
• jail_mount_bind_if_exists
  Mirror-mount all the directories in dirs into jail on a best-effort basis.
• mount_proc
  Mount proc in the sandbox.
• set_embedded_bpf_program
  Set the seccomp policy for a jail from embedded bpfs
• simple_jail
  Creates a basic [Minijail] if jail_config is present.