Skip to content

Replace C++ FFI with memfd exec of embedded nsjail binary#7

Merged
afq984 merged 1 commit intogoogle:mainfrom
afq984:push-ttqqrynmpoxk
Apr 5, 2026
Merged

Replace C++ FFI with memfd exec of embedded nsjail binary#7
afq984 merged 1 commit intogoogle:mainfrom
afq984:push-ttqqrynmpoxk

Conversation

@afq984
Copy link
Copy Markdown
Collaborator

@afq984 afq984 commented Apr 5, 2026

Eliminate the 305-line run_jail.cc C++ FFI layer by embedding the nsjail binary and executing it from a memfd at runtime.

  • Serialize nsjail config to text proto via prost-reflect
  • Write config to a memfd (no CLOEXEC, survives exec)
  • Unpack embedded nsjail binary to a memfd (CLOEXEC)
  • exec /proc/self/fd/N with -C /dev/fd/M

Delete run_jail.cc, run_jail.h, and the cc_library target.

@afq984
Replace C++ FFI with memfd exec of embedded nsjail binary
1f6a2fb 
Eliminate the 305-line run_jail.cc C++ FFI layer by embedding the
nsjail binary and executing it from a memfd at runtime.

- Serialize nsjail config to text proto via prost-reflect
- Write config to a memfd (no CLOEXEC, survives exec)
- Unpack embedded nsjail binary to a memfd (CLOEXEC)
- exec /proc/self/fd/N with -C /dev/fd/M

Delete run_jail.cc, run_jail.h, and the cc_library target.
@afq984 afq984 merged commit 0f1d025 into google:main Apr 5, 2026
3 checks passed
@afq984 afq984 deleted the push-ttqqrynmpoxk branch April 5, 2026 12:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@afq984