1# Sandboxing 2 3<!-- Image from https://docs.google.com/presentation/d/1s6wH5L_F8NNiXls5UgWbD34jtBmijoZuiyLu76Fc2NM/edit#slide=id.g2d8628a5aae_0_0 --> 4 5 6 7Generally speaking, sandboxing is achieved in crosvm by isolating each virtualized devices into its 8own process. A process is always somewhat isolated from another by virtue of being in a different 9address space. Depending on the operating system, crosvm will use additional measures to sandbox the 10child processes of crosvm by limiting each process to just what it needs to function. 11 12In the example diagram above, the virtio block device exists as a child process of crosvm. It has 13been limited to having just the FD needed to access the backing file on the host and has no ability 14to open new files. A similar setup exists for other devices like virtio net. 15
