refactor(jailer): copy only shim + libkrunfw to box bin/ directory#337
Merged
DorianZheng merged 3 commits intomainfrom Mar 4, 2026
Merged
Conversation
The jailer previously copied libkrun, libkrunfw, and libgvproxy alongside the shim binary into each box's bin/ directory. This was unnecessary since configure_library_env in spawn.rs already handles library discovery via dladdr, and the LD_LIBRARY_PATH set in command() was immediately overwritten. Changes: - Remove BUNDLED_LIB_PATTERNS constants and copy_bundled_libraries() - Simplify copy_shim_to_box() to only copy the shim binary - Grant sandbox read access to original binary's parent directory so the dynamic linker can load libraries from their original location - Remove dead LD_LIBRARY_PATH setting from Jailer::command() - Update comments to reflect shim-only copying - Fix pre-existing ParallelRuntime compile error in clone_export_import tests - Fix pre-existing cargo fmt issues in lib.rs and go-sdk lib.rs This reduces per-box disk usage by ~20MB+ and eliminates unnecessary I/O during box creation.
On macOS, sandbox-exec (SIP-protected) strips DYLD_* env vars, so
dlopen("libkrunfw.5.dylib") inside libkrun can only find the library
via the shim binary's rpath. Create symlinks (not copies) in bin/ so
rpath resolution works without duplicating multi-MB dylibs per box.
Replace the symlink approach with copying only libkrunfw alongside the shim binary. libkrun dlopen's libkrunfw at runtime and the shim's rpath resolves to bin/ — on macOS, DYLD_* env vars are stripped by SIP when going through sandbox-exec, so the library must be physically present. Other bundled libraries (libkrun, libgvproxy) are no longer copied: libkrun is statically linked on macOS, and libgvproxy is a separate process found via binary discovery.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
box_dir/bin/during box creationLD_LIBRARY_PATHsetting fromJailer::command()— it was overwritten byconfigure_library_envinspawn.rsclone_export_import.rs(ParallelRuntime→ standard test setup pattern)Why libkrunfw must be copied
On macOS,
sandbox-execis a SIP-protected system binary that stripsDYLD_*environment variables. Since libkrun loads libkrunfw viadlopen("libkrunfw.5.dylib"), the library must be physically present in a directory on the shim's rpath (i.e.,bin/). Without it, the VM fails to start withCouldn't find or load libkrunfw.5.dylib.Test plan
cargo clippy -p boxlite --tests -- -D warningspasses (zero warnings)cargo fmt --all --checkcleanmain)box_dir/bin/contains onlyboxlite-shim+libkrunfw.*(no libkrun, libgvproxy)