1*bb4ee6a4SAndroid Build Coastguard Worker# Sandboxing 2*bb4ee6a4SAndroid Build Coastguard Worker 3*bb4ee6a4SAndroid Build Coastguard Worker```mermaid 4*bb4ee6a4SAndroid Build Coastguard Worker%%{init: {'theme':'base'}}%% 5*bb4ee6a4SAndroid Build Coastguard Workergraph BT 6*bb4ee6a4SAndroid Build Coastguard Worker subgraph guest 7*bb4ee6a4SAndroid Build Coastguard Worker subgraph guest_kernel 8*bb4ee6a4SAndroid Build Coastguard Worker virtio_blk_driver 9*bb4ee6a4SAndroid Build Coastguard Worker virtio_net_driver 10*bb4ee6a4SAndroid Build Coastguard Worker end 11*bb4ee6a4SAndroid Build Coastguard Worker end 12*bb4ee6a4SAndroid Build Coastguard Worker subgraph crosvm Process 13*bb4ee6a4SAndroid Build Coastguard Worker vcpu0:::vcpu 14*bb4ee6a4SAndroid Build Coastguard Worker vcpu1:::vcpu 15*bb4ee6a4SAndroid Build Coastguard Worker subgraph device_proc0[Device Process] 16*bb4ee6a4SAndroid Build Coastguard Worker virtio_blk --- virtio_blk_driver 17*bb4ee6a4SAndroid Build Coastguard Worker disk_fd[(Disk FD)] 18*bb4ee6a4SAndroid Build Coastguard Worker end 19*bb4ee6a4SAndroid Build Coastguard Worker subgraph device_proc1[Device Process] 20*bb4ee6a4SAndroid Build Coastguard Worker virtio_net --- virtio_net_driver 21*bb4ee6a4SAndroid Build Coastguard Worker tapfd{{TAP FD}} 22*bb4ee6a4SAndroid Build Coastguard Worker end 23*bb4ee6a4SAndroid Build Coastguard Worker end 24*bb4ee6a4SAndroid Build Coastguard Worker subgraph kernel[Host Kernel] 25*bb4ee6a4SAndroid Build Coastguard Worker KVM --- vcpu1 & vcpu0 26*bb4ee6a4SAndroid Build Coastguard Worker end 27*bb4ee6a4SAndroid Build Coastguard Worker style KVM fill:#4285f4 28*bb4ee6a4SAndroid Build Coastguard Worker classDef vcpu fill:#7890cd 29*bb4ee6a4SAndroid Build Coastguard Worker classDef system fill:#fff,stroke:#777; 30*bb4ee6a4SAndroid Build Coastguard Worker class crosvm,guest,kernel system; 31*bb4ee6a4SAndroid Build Coastguard Worker style guest_kernel fill:#d23369,stroke:#777 32*bb4ee6a4SAndroid Build Coastguard Worker``` 33*bb4ee6a4SAndroid Build Coastguard Worker 34*bb4ee6a4SAndroid Build Coastguard WorkerGenerally speaking, sandboxing is achieved in crosvm by isolating each virtualized devices into its 35*bb4ee6a4SAndroid Build Coastguard Workerown process. A process is always somewhat isolated from another by virtue of being in a different 36*bb4ee6a4SAndroid Build Coastguard Workeraddress space. Depending on the operating system, crosvm will use additional measures to sandbox the 37*bb4ee6a4SAndroid Build Coastguard Workerchild processes of crosvm by limiting each process to just what it needs to function. 38*bb4ee6a4SAndroid Build Coastguard Worker 39*bb4ee6a4SAndroid Build Coastguard WorkerIn the example diagram above, the virtio block device exists as a child process of crosvm. It has 40*bb4ee6a4SAndroid Build Coastguard Workerbeen limited to having just the FD needed to access the backing file on the host and has no ability 41*bb4ee6a4SAndroid Build Coastguard Workerto open new files. A similar setup exists for other devices like virtio net. 42