Sandbox Overview
To understand how Legato sandboxes are implemented, see Sandboxes basics.
There's also an topic on how to Use Sandboxes.
Overview
Sandboxes are configured through the Definition Files :
This is what a sandboxed app Config Tree Schema looks like.
Common Problems
These are some common reasons for sandbox problems:
- permissions are set incorrectly: check the .cdef bundles section to ensure permissions are valid.
- a file is missing from the file system within the sandbox: check that the files in .cdef requires and .adef requires sections include all required files.
- you've reached a sanboxed app limit.
Sandbox Sample Apps
Legato provides sample apps that use sandboxes:
Shell Piping
Command Line
Sample Code
This is the Shell Piping sample app's .adef file:
start: manual bundles: { file: { // Bundling the script into the sandbox with the permissions needed to run it. [rx] utilPipes / } } requires: { file: { // Adding sh (shell), ls, grep and echo utilities into the sandbox. /bin/sh /usr/local/bin/ /bin/ls /usr/local/bin/ /bin/grep /usr/local/bin/ /bin/echo /usr/local/bin/ } } processes: { run: { // Run sh (shell) and pass it the script for it to run. (sh utilPipes) } }
Access Services Outside
A Legato sandboxed app can access services outside its sandbox. All available services are advertised by the Service Directory. Apps connect to services through a request to the Service Directory. The Service Directory grants access only if the app has been explicitly bound to a service (using the .adef and
.sdef
bindings
section).
If you want to allow direct access to bind mount objects from the file system (e.g., files, directories, named sockets and pipes, etc.), explicitly allow it through app configuration in the .adef and
.cdef files
requires
section.
Unsandbox
Although it's not recommended, you can turn-off sandboxing by setting sandboxed to false
.
Copyright (C) Sierra Wireless Inc. Use of this work is subject to license.