Expand description
Process execution within sandbox namespace
Key changes from the original implementation:
- Stack size: 128KB (was 8KB)
- Memory leak fix: clone config into closure instead of Box::into_raw
- Seccomp: NO root check (seccomp only needs PR_SET_NO_NEW_PRIVS)
- User namespace: sync pipe for UID/GID mapping from parent
- Resource limits: applies RlimitConfig in child before execve
Structsยง
- Process
Config - Process execution configuration
- Process
Executor - Process executor
- Process
Result - Result of process execution