Crate jail

Re-exports

• pub use crate::fork::fork_process;

Modules

• config 🔒
• fork
  Provides fork_process to fork a process.
• helpers 🔒

Structs

• JailConfig
• SandboxConfig
  Config for the sandbox to be created by [Minijail].
• ScopedMinijail
  Wrapper that cleans up a [Minijail] when it is dropped

Enums

• RunAsUser
  The user in the jail to run as.

Constants

• MAX_OPEN_FILES_DEFAULT
  Most devices don’t need to open many fds. However, an implementation detail of minijail is that after applying this limit, it opens an additional file descriptor to scan the /proc/self/fd directory to choose which file descriptors to close in the child process. The open files limit therefore has to be higher than the number file descriptors that the parent thread holds open before the jail is started.
• MAX_OPEN_FILES_FOR_JAIL_WARDEN
  The max open files for jail warden, matching FD_RAW_FAILURE.

Functions

• create_base_minijail
  Creates a [Minijail] instance which just changes the root using pivot_root(2) path and max_open_files using RLIMIT_NOFILE.
• create_base_minijail_without_pivot_root
  Creates a [Minijail] instance which just invokes a jail process and sets max_open_files using RLIMIT_NOFILE. This is helpful with crosvm process runs as a non-root user without SYS_ADMIN capabilities.
• create_default_minijail
  Creates a default Minijail instance with no configuration.
• create_gpu_minijail
  Creates [Minijail] for gpu processes.
• create_sandbox_minijail
  Creates a [Minijail] instance which creates a sandbox.
• jail_mount_bind_drm
  Selectively bind mount drm nodes into jail based on render_node_only
• jail_mount_bind_if_exists
  Mirror-mount all the directories in dirs into jail on a best-effort basis.
• mount_proc
  Mount proc in the sandbox.
• set_embedded_bpf_program
  Set the seccomp policy for a jail from embedded bpfs
• simple_jail
  Creates a basic [Minijail] if jail_config is present.