1# Sandboxing 2 3```mermaid 4%%{init: {'theme':'base'}}%% 5graph BT 6 subgraph guest 7 subgraph guest_kernel 8 virtio_blk_driver 9 virtio_net_driver 10 end 11 end 12 subgraph crosvm Process 13 vcpu0:::vcpu 14 vcpu1:::vcpu 15 subgraph device_proc0[Device Process] 16 virtio_blk --- virtio_blk_driver 17 disk_fd[(Disk FD)] 18 end 19 subgraph device_proc1[Device Process] 20 virtio_net --- virtio_net_driver 21 tapfd{{TAP FD}} 22 end 23 end 24 subgraph kernel[Host Kernel] 25 KVM --- vcpu1 & vcpu0 26 end 27 style KVM fill:#4285f4 28 classDef vcpu fill:#7890cd 29 classDef system fill:#fff,stroke:#777; 30 class crosvm,guest,kernel system; 31 style guest_kernel fill:#d23369,stroke:#777 32``` 33 34Generally speaking, sandboxing is achieved in crosvm by isolating each virtualized devices into its 35own process. A process is always somewhat isolated from another by virtue of being in a different 36address space. Depending on the operating system, crosvm will use additional measures to sandbox the 37child processes of crosvm by limiting each process to just what it needs to function. 38 39In the example diagram above, the virtio block device exists as a child process of crosvm. It has 40been limited to having just the FD needed to access the backing file on the host and has no ability 41to open new files. A similar setup exists for other devices like virtio net. 42