1# Minijail 2 3On Linux hosts, crosvm uses [minijail](https://google.github.io/minijail/) to sandbox the child 4devices. The minijail C library is utilized via a 5[Rust wrapper](https://chromium.googlesource.com/chromiumos/platform/minijail/+/refs/heads/main/rust/minijail/src/lib.rs) 6so as not to repeat the intricate sequence of syscalls used to make a secure isolated child process. 7 8The exact configuration of the sandbox varies by device, but they are mostly alike. See 9[`create_base_minijail`] from `jail/src/helpers.rs`. The set of security constraints explicitly used 10in crosvm are: 11 12- PID Namespace 13 - Runs as init 14- [Deny setgroups](https://lwn.net/Articles/626665/) 15- Optional limit the capabilities mask to `0` 16- User namespace 17 - Optional uid/gid mapping 18- Mount namespace 19 - Optional pivot into a new root 20- Network namespace 21- [PR_SET_NO_NEW_PRIVS](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt) 22- [seccomp](seccomp.html) with optional log failure mode 23- Limit to number of file descriptors 24 25[`create_base_minijail`]: https://crosvm.dev/doc/jail/fn.create_base_minijail.html 26