pub trait ProcessSandbox: Send + Sync {
// Required methods
fn prepare<'life0, 'life1, 'async_trait>(
&'life0 self,
ctx: &'life1 ExecSandboxContext,
) -> Pin<Box<dyn Future<Output = RuntimeResult<()>> + Send + 'async_trait>>
where Self: 'async_trait,
'life0: 'async_trait,
'life1: 'async_trait;
fn wrap(
&self,
argv: &[String],
ctx: &ExecSandboxContext,
) -> RuntimeResult<WrappedCommand>;
fn probe<'life0, 'life1, 'async_trait>(
&'life0 self,
profile: &'life1 SandboxProfile,
) -> Pin<Box<dyn Future<Output = RuntimeResult<Enforcement>> + Send + 'async_trait>>
where Self: 'async_trait,
'life0: 'async_trait,
'life1: 'async_trait;
fn shutdown<'life0, 'async_trait>(
&'life0 self,
) -> Pin<Box<dyn Future<Output = RuntimeResult<()>> + Send + 'async_trait>>
where Self: 'async_trait,
'life0: 'async_trait;
}Expand description
A process-sandbox backend. Shape only — no implementations ship in
fluers; this is the slot saorsa-sandbox will replace/re-export/adapt to
(WP-5/4e).
Lifecycle (C2): a backend is constructed once, prepared
at session construction, and wrap is called cheaply per
command. shutdown tears down per-session state when the
session ends.
WP-2 limitation: fluers calls prepare and wrap but does not
yet call shutdown (no real backend to leak in this milestone). Wiring the
shutdown call — a best-effort cleanup at session end — is part of WP-5/4e
when a stateful backend lands. Until then the session owns the backend’s
lifecycle and a consumer that constructs a stateful backend itself is
responsible for calling shutdown.
Required Methods§
Sourcefn prepare<'life0, 'life1, 'async_trait>(
&'life0 self,
ctx: &'life1 ExecSandboxContext,
) -> Pin<Box<dyn Future<Output = RuntimeResult<()>> + Send + 'async_trait>>where
Self: 'async_trait,
'life0: 'async_trait,
'life1: 'async_trait,
fn prepare<'life0, 'life1, 'async_trait>(
&'life0 self,
ctx: &'life1 ExecSandboxContext,
) -> Pin<Box<dyn Future<Output = RuntimeResult<()>> + Send + 'async_trait>>where
Self: 'async_trait,
'life0: 'async_trait,
'life1: 'async_trait,
One-time initialization for a session (e.g. boot a proxy). Called once
before any wrap.
Sourcefn wrap(
&self,
argv: &[String],
ctx: &ExecSandboxContext,
) -> RuntimeResult<WrappedCommand>
fn wrap( &self, argv: &[String], ctx: &ExecSandboxContext, ) -> RuntimeResult<WrappedCommand>
Wrap an argv for the given context, returning the (possibly rewritten)
argv plus any required env additions. Must be cheap; the heavy work is
in prepare.
Sourcefn probe<'life0, 'life1, 'async_trait>(
&'life0 self,
profile: &'life1 SandboxProfile,
) -> Pin<Box<dyn Future<Output = RuntimeResult<Enforcement>> + Send + 'async_trait>>where
Self: 'async_trait,
'life0: 'async_trait,
'life1: 'async_trait,
fn probe<'life0, 'life1, 'async_trait>(
&'life0 self,
profile: &'life1 SandboxProfile,
) -> Pin<Box<dyn Future<Output = RuntimeResult<Enforcement>> + Send + 'async_trait>>where
Self: 'async_trait,
'life0: 'async_trait,
'life1: 'async_trait,
Self-test whether the backend can enforce profile on this host.
Async per C3 (it may spawn children). Called at session construction so
SandboxPolicy can fail-closed up front.
Dyn Compatibility§
This trait is dyn compatible.
In older versions of Rust, dyn compatibility was called "object safety".