Expand description
Proprietary CellOS host backend (L2).
Today this is a simulated runtime: in-memory cell records that must be removed on
destroy so tests can falsify residue. When the real kernel/userspace ABI exists, replace the
inner implementation with FFI/IPC while keeping the same CellBackend contract.
§Subprocess spawn (E1-04)
spawn_isolated_workload is the only sanctioned way for this backend to materialise a
child process. It enforces three FD-hygiene invariants on Unix:
- No ambient env. The child gets
env_clear()plus exactly the declared injection set — nothing inherited from the supervisor. - Stdio replaced with pipes. stdin / stdout / stderr are wired to fresh pipes whose parent ends drop before the caller can write or read, so a child cannot reach back into the supervisor’s terminal or log streams.
- All FDs > 2 closed on exec. A
pre_execclosure walks/proc/self/fdand setsFD_CLOEXECon every fd > 2. The kernel atomically closes those atexecve(2)so a workload never inherits NATS sockets, broker handles, or audit-log writers.
These guarantees are exercised by tests/fd_isolation.rs, which reads
/proc/<child>/environ of a real child and asserts byte-for-byte equality with the declared
injection set.
Re-exports§
pub use memory_broker::MemorySecretBroker;
Modules§
- memory_
broker - In-memory
SecretBrokerfor development and residue tests — simulates TTL-bound injection and revoke on teardown.
Structs§
- Proprietary
Cell Backend - Simulated proprietary host: tracks active cells; destroy removes all host-side state for that id.
- Spawned
Workload - Handle to a spawned workload child. Drops do not kill — caller
wait()s. - Workload
Env - Declared environment injection set for
spawn_isolated_workload.
Functions§
- spawn_
isolated_ workload - Spawn a workload subprocess with closed FD inheritance and a declared env injection set.