Skip to main content

ProcessSandbox

Trait ProcessSandbox 

Source
pub trait ProcessSandbox: Send + Sync {
    // Required methods
    fn prepare<'life0, 'life1, 'async_trait>(
        &'life0 self,
        ctx: &'life1 ExecSandboxContext,
    ) -> Pin<Box<dyn Future<Output = RuntimeResult<()>> + Send + 'async_trait>>
       where Self: 'async_trait,
             'life0: 'async_trait,
             'life1: 'async_trait;
    fn wrap(
        &self,
        argv: &[String],
        ctx: &ExecSandboxContext,
    ) -> RuntimeResult<WrappedCommand>;
    fn probe<'life0, 'life1, 'async_trait>(
        &'life0 self,
        profile: &'life1 SandboxProfile,
    ) -> Pin<Box<dyn Future<Output = RuntimeResult<Enforcement>> + Send + 'async_trait>>
       where Self: 'async_trait,
             'life0: 'async_trait,
             'life1: 'async_trait;
    fn shutdown<'life0, 'async_trait>(
        &'life0 self,
    ) -> Pin<Box<dyn Future<Output = RuntimeResult<()>> + Send + 'async_trait>>
       where Self: 'async_trait,
             'life0: 'async_trait;
}
Expand description

A process-sandbox backend. Shape only — no implementations ship in fluers; this is the slot saorsa-sandbox will replace/re-export/adapt to (WP-5/4e).

Lifecycle (C2): a backend is constructed once, prepared at session construction, and wrap is called cheaply per command. shutdown tears down per-session state when the session ends.

WP-2 limitation: fluers calls prepare and wrap but does not yet call shutdown (no real backend to leak in this milestone). Wiring the shutdown call — a best-effort cleanup at session end — is part of WP-5/4e when a stateful backend lands. Until then the session owns the backend’s lifecycle and a consumer that constructs a stateful backend itself is responsible for calling shutdown.

Required Methods§

Source

fn prepare<'life0, 'life1, 'async_trait>( &'life0 self, ctx: &'life1 ExecSandboxContext, ) -> Pin<Box<dyn Future<Output = RuntimeResult<()>> + Send + 'async_trait>>
where Self: 'async_trait, 'life0: 'async_trait, 'life1: 'async_trait,

One-time initialization for a session (e.g. boot a proxy). Called once before any wrap.

Source

fn wrap( &self, argv: &[String], ctx: &ExecSandboxContext, ) -> RuntimeResult<WrappedCommand>

Wrap an argv for the given context, returning the (possibly rewritten) argv plus any required env additions. Must be cheap; the heavy work is in prepare.

Source

fn probe<'life0, 'life1, 'async_trait>( &'life0 self, profile: &'life1 SandboxProfile, ) -> Pin<Box<dyn Future<Output = RuntimeResult<Enforcement>> + Send + 'async_trait>>
where Self: 'async_trait, 'life0: 'async_trait, 'life1: 'async_trait,

Self-test whether the backend can enforce profile on this host. Async per C3 (it may spawn children). Called at session construction so SandboxPolicy can fail-closed up front.

Source

fn shutdown<'life0, 'async_trait>( &'life0 self, ) -> Pin<Box<dyn Future<Output = RuntimeResult<()>> + Send + 'async_trait>>
where Self: 'async_trait, 'life0: 'async_trait,

Tear down per-session state (e.g. stop a proxy). Called once at session end. Best-effort: errors are logged, not fatal.

Dyn Compatibility§

This trait is dyn compatible.

In older versions of Rust, dyn compatibility was called "object safety".

Implementors§