Skip to main content

sandlock_core/seccomp/
ctx.rs

1use std::os::unix::io::RawFd;
2use std::sync::Arc;
3use tokio::sync::Mutex;
4
5use super::notif::NotifPolicy;
6use super::state::{ChrootState, CowState, NetworkState, PolicyFnState, ProcfsState, ResourceState, TimeRandomState};
7
8/// Holds all supervisor state and policy. Passed to every handler.
9pub struct SupervisorCtx {
10    /// Resource-limit state (memory, processes, checkpoint).
11    pub resource: Arc<Mutex<ResourceState>>,
12    /// Copy-on-write filesystem state.
13    pub cow: Arc<Mutex<CowState>>,
14    /// /proc virtualization state.
15    pub procfs: Arc<Mutex<ProcfsState>>,
16    /// Network policy and port remapping state.
17    pub network: Arc<Mutex<NetworkState>>,
18    /// Deterministic time/random state.
19    pub time_random: Arc<Mutex<TimeRandomState>>,
20    /// Dynamic policy callback state.
21    pub policy_fn: Arc<Mutex<PolicyFnState>>,
22    /// Chroot-specific runtime state.
23    pub chroot: Arc<Mutex<ChrootState>>,
24    /// Immutable policy — no lock needed.
25    pub policy: Arc<NotifPolicy>,
26    /// pidfd for the child process (immutable after spawn).
27    pub child_pidfd: Option<RawFd>,
28    /// Seccomp notification fd (for on-behalf operations).
29    pub notif_fd: RawFd,
30}