Crate jail

Re-exports

pub use crate::fork::fork_process;

Modules

config 🔒

fork

Provides fork_process to fork a process.

helpers 🔒

Structs

JailConfig

SandboxConfig

Config for the sandbox to be created by [Minijail].

ScopedMinijail

Wrapper that cleans up a [Minijail] when it is dropped

Enums

RunAsUser

The user in the jail to run as.

Constants

MAX_OPEN_FILES_DEFAULT

Most devices don’t need to open many fds. However, an implementation detail of minijail is that after applying this limit, it opens an additional file descriptor to scan the /proc/self/fd directory to choose which file descriptors to close in the child process. The open files limit therefore has to be higher than the number file descriptors that the parent thread holds open before the jail is started.

MAX_OPEN_FILES_FOR_JAIL_WARDEN

The max open files for jail warden, matching FD_RAW_FAILURE.

Functions

create_base_minijail

Creates a [Minijail] instance which just changes the root using pivot_root(2) path and max_open_files using RLIMIT_NOFILE.

create_base_minijail_without_pivot_root

Creates a [Minijail] instance which just invokes a jail process and sets max_open_files using RLIMIT_NOFILE. This is helpful with crosvm process runs as a non-root user without SYS_ADMIN capabilities.

create_gpu_minijail

Creates [Minijail] for gpu processes.

create_sandbox_minijail

Creates a [Minijail] instance which creates a sandbox.

jail_mount_bind_drm

Selectively bind mount drm nodes into jail based on render_node_only

jail_mount_bind_if_exists

Mirror-mount all the directories in dirs into jail on a best-effort basis.

mount_proc

Mount proc in the sandbox.

set_embedded_bpf_program

Set the seccomp policy for a jail from embedded bpfs

simple_jail

Creates a basic [Minijail] if jail_config is present.