iSulad/0185-sandbox-sandboxer-code-isolation.patch

From e36d01f2f3a91060b0fecd3ef4b2c0e09b1e5f23 Mon Sep 17 00:00:00 2001
From: liuxu <liuxu156@huawei.com>
Date: Fri, 7 Feb 2025 11:43:21 +0800
Subject: [PATCH 185/198] sandbox:sandboxer code isolation

Signed-off-by: liuxu <liuxu156@huawei.com>
---
 .../modules/service/service_container.c       | 37 ++++++++-----------
 src/daemon/sandbox/sandbox.cc                 | 10 ++++-
 src/daemon/sandbox/sandbox.h                  |  6 ++-
 src/daemon/sandbox/sandbox_ops.cc             |  2 +
 src/daemon/sandbox/sandbox_ops.h              |  2 +
 .../sandbox/{ => sandboxer}/sandbox_task.cc   |  0
 .../sandbox/{ => sandboxer}/sandbox_task.h    |  0
 7 files changed, 33 insertions(+), 24 deletions(-)
 rename src/daemon/sandbox/{ => sandboxer}/sandbox_task.cc (100%)
 rename src/daemon/sandbox/{ => sandboxer}/sandbox_task.h (100%)

diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c
index 250e8299..18104781 100644
--- a/src/daemon/modules/service/service_container.c
+++ b/src/daemon/modules/service/service_container.c
@@ -780,6 +780,9 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo
     oci_runtime_spec *oci_spec = NULL;
     rt_create_params_t create_params = { 0 };
     rt_start_params_t start_params = { 0 };
+#ifdef ENABLE_SANDBOXER
+    int prepare_container_ret = -1;
+#endif
 
     nret = snprintf(bundle, sizeof(bundle), "%s/%s", cont->root_path, id);
     if (nret < 0 || (size_t)nret >= sizeof(bundle)) {
@@ -904,7 +907,7 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo
     }
 #endif
 
-#ifdef ENABLE_CRI_API_V1
+#ifdef ENABLE_SANDBOXER
     if (cont->common_config->sandbox_info != NULL &&
         sandbox_prepare_container(cont->common_config,
                                   oci_spec, console_fifos, tty) != 0) {
@@ -912,6 +915,7 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo
         ret = -1;
         goto close_exit_fd;
     }
+    prepare_container_ret = 0;
 #endif
 
     create_params.bundle = bundle;
@@ -935,11 +939,7 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo
 
     if (runtime_create(id, runtime, &create_params) != 0) {
         ret = -1;
-#ifdef ENABLE_CRI_API_V1
-        goto clean_prepare_container;
-#else
         goto close_exit_fd;
-#endif
     }
 
     start_params.rootpath = cont->root_path;
@@ -962,32 +962,25 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo
         if (do_post_start_on_success(cont, exit_fifo_fd, exit_fifo, pid_info) != 0) {
             ERROR("Failed to do post start on runtime start success");
             ret = -1;
-#ifdef ENABLE_CRI_API_V1
-            goto clean_prepare_container;
-#else
             goto close_exit_fd;
-#endif
         }
     } else {
         // wait monitor cleanup cgroup and processes finished
         wait_exit_fifo(id, exit_fifo_fd);
-#ifdef ENABLE_CRI_API_V1
-        goto clean_prepare_container;
-#else
         goto close_exit_fd;
-#endif
     }
     goto out;
 
-#ifdef ENABLE_CRI_API_V1
-clean_prepare_container:
-    if (cont->common_config->sandbox_info != NULL &&
-        sandbox_purge_container(cont->common_config) != 0) {
-        ERROR("Failed to remove container %s from sandbox", id);
+close_exit_fd:
+#ifdef ENABLE_SANDBOXER
+    if (prepare_container_ret == 0) {
+        if (cont->common_config->sandbox_info != NULL &&
+            sandbox_purge_container(cont->common_config) != 0) {
+            ERROR("Failed to remove container %s from sandbox", id);
+        }
     }
 #endif
 
-close_exit_fd:
     close(exit_fifo_fd);
     clean_resources_on_failure(cont, engine_log_path, loglevel);
 
@@ -1689,7 +1682,7 @@ int stop_container(container_t *cont, int timeout, bool force, bool restart)
         }
     }
 
-#ifdef ENABLE_CRI_API_V1
+#ifdef ENABLE_SANDBOXER
     if (cont->common_config->sandbox_info != NULL &&
         sandbox_purge_container(cont->common_config) != 0) {
         ERROR("Failed to remove container %s from sandbox", id);
@@ -2159,7 +2152,7 @@ static int do_exec_container(const container_t *cont, const char *runtime, char
         goto out;
     }
 
-#ifdef ENABLE_CRI_API_V1
+#ifdef ENABLE_SANDBOXER
     if (cont->common_config->sandbox_info != NULL &&
         sandbox_prepare_exec(cont->common_config, request->suffix,
                              process_spec, (const char **)console_fifos, request->tty) != 0) {
@@ -2283,7 +2276,7 @@ static void exec_container_end(container_exec_response *response, const containe
                                const char *exec_id, uint32_t cc,
                                int exit_code, int sync_fd, pthread_t thread_id)
 {
-#ifdef ENABLE_CRI_API_V1
+#ifdef ENABLE_SANDBOXER
     if (cont->common_config->sandbox_info != NULL &&
         sandbox_purge_exec(cont->common_config, exec_id) != 0) {
         ERROR("Failed to purge container for exec %s", exec_id);
diff --git a/src/daemon/sandbox/sandbox.cc b/src/daemon/sandbox/sandbox.cc
index d105d71a..d5681d48 100644
--- a/src/daemon/sandbox/sandbox.cc
+++ b/src/daemon/sandbox/sandbox.cc
@@ -494,7 +494,9 @@ auto Sandbox::Load(Errors &error) -> bool
     }
 
     LoadNetworkSetting();
+#ifdef ENABLE_SANDBOXER
     LoadSandboxTasks();
+#endif
 
     // When the sandbox status acquisition fails or wait fails, the sandbox status is set to not ready,
     // and the user decides whether to delete the sandbox.
@@ -583,9 +585,11 @@ void Sandbox::CleanupSandboxDirs()
         ERROR("Failed to delete sandbox's root directory %s", m_rootdir.c_str());
     }
 
+#ifdef ENABLE_SANDBOXER
     if (util_recursive_rmdir(m_statedir.c_str(), 0) != 0) {
-        ERROR("Failed to delete sandbox's state directory %s", m_rootdir.c_str());
+        ERROR("Failed to delete sandbox's state directory %s", m_statedir.c_str());
     }
+#endif
 }
 
 void Sandbox::PrepareSandboxDirs(Errors &error)
@@ -615,12 +619,14 @@ void Sandbox::PrepareSandboxDirs(Errors &error)
         goto out;
     }
 
+#ifdef ENABLE_SANDBOXER
     nret = util_mkdir_p(m_statedir.c_str(), TEMP_DIRECTORY_MODE);
     if (nret < 0) {
         error.Errorf("Unable to create sandbox state directory %s.", m_statedir.c_str());
         ERROR("Unable to create sandbox state directory %s.", m_statedir.c_str());
         goto out;
     }
+#endif
 
     umask(mask);
     return;
@@ -1119,6 +1125,7 @@ void Sandbox::FillSandboxMetadata(sandbox_metadata* metadata, Errors &error)
     metadata->sandbox_config_json = util_strdup_s(jsonStr.c_str());
 }
 
+#ifdef ENABLE_SANDBOXER
 void Sandbox::LoadSandboxTasks()
 {
 }
@@ -1145,5 +1152,6 @@ auto Sandbox::PurgeExec(const char *containerId, const char *execId) -> int
 {
     return 0;
 }
+#endif
 
 }
\ No newline at end of file
diff --git a/src/daemon/sandbox/sandbox.h b/src/daemon/sandbox/sandbox.h
index 58d60ecb..3a7b0736 100644
--- a/src/daemon/sandbox/sandbox.h
+++ b/src/daemon/sandbox/sandbox.h
@@ -23,6 +23,9 @@
 #include <isula_libutils/container_network_settings.h>
 #include <isula_libutils/sandbox_state.h>
 #include <isula_libutils/sandbox_metadata.h>
+#ifdef ENABLE_SANDBOXER
+#include <isula_libutils/oci_runtime_spec.h>
+#endif
 
 #include "api_v1.grpc.pb.h"
 #include "errors.h"
@@ -30,7 +33,6 @@
 #include "controller_manager.h"
 #include "cstruct_wrapper.h"
 #include "read_write_lock.h"
-#include "sandbox_task.h"
 
 namespace sandbox {
 
@@ -140,6 +142,7 @@ public:
     auto Remove(Errors &error) -> bool;
     void Status(runtime::v1::PodSandboxStatus &status);
 
+#ifdef ENABLE_SANDBOXER
     // for sandbox api update
     virtual void LoadSandboxTasks();
     virtual auto PrepareContainer(const char *containerId, const char *baseFs,
@@ -149,6 +152,7 @@ public:
                              defs_process *processSpec, const char *consoleFifos[]) -> int;
     virtual auto PurgeContainer(const char *containerId) -> int;
     virtual auto PurgeExec(const char *containerId, const char *execId) -> int;
+#endif
 
 private:
     auto SaveState(Errors &error) -> bool;
diff --git a/src/daemon/sandbox/sandbox_ops.cc b/src/daemon/sandbox/sandbox_ops.cc
index ae881933..cf88c1bd 100644
--- a/src/daemon/sandbox/sandbox_ops.cc
+++ b/src/daemon/sandbox/sandbox_ops.cc
@@ -25,6 +25,7 @@
 #include "namespace.h"
 #include "utils.h"
 
+#ifdef ENABLE_SANDBOXER
 static inline bool validate_sandbox_info(const container_sandbox_info *sandbox)
 {
     return (sandbox != NULL && sandbox->sandboxer != NULL &&
@@ -110,6 +111,7 @@ int sandbox_purge_exec(const container_config_v2_common_config *config, const ch
 
     return sandbox->PurgeExec(config->id, exec_id);
 }
+#endif /* ENABLE_SANDBOXER */
 
 int sandbox_on_sandbox_exit(const char *sandbox_id, int exit_code)
 {
diff --git a/src/daemon/sandbox/sandbox_ops.h b/src/daemon/sandbox/sandbox_ops.h
index 8189efd6..e1309313 100644
--- a/src/daemon/sandbox/sandbox_ops.h
+++ b/src/daemon/sandbox/sandbox_ops.h
@@ -24,6 +24,7 @@
 extern "C" {
 #endif
 
+#ifdef ENABLE_SANDBOXER
 int sandbox_prepare_container(const container_config_v2_common_config *config,
                               const oci_runtime_spec *oci_spec,
                               const char *console_fifos[], bool tty);
@@ -35,6 +36,7 @@ int sandbox_prepare_exec(const container_config_v2_common_config *config,
 int sandbox_purge_container(const container_config_v2_common_config *config);
 
 int sandbox_purge_exec(const container_config_v2_common_config *config, const char *exec_id);
+#endif
 
 int sandbox_on_sandbox_exit(const char *sandbox_id, int exit_code);
 
diff --git a/src/daemon/sandbox/sandbox_task.cc b/src/daemon/sandbox/sandboxer/sandbox_task.cc
similarity index 100%
rename from src/daemon/sandbox/sandbox_task.cc
rename to src/daemon/sandbox/sandboxer/sandbox_task.cc
diff --git a/src/daemon/sandbox/sandbox_task.h b/src/daemon/sandbox/sandboxer/sandbox_task.h
similarity index 100%
rename from src/daemon/sandbox/sandbox_task.h
rename to src/daemon/sandbox/sandboxer/sandbox_task.h
-- 
2.34.1
sync patches from upstream 2025-05-14 14:16:41 +08:00			`From e36d01f2f3a91060b0fecd3ef4b2c0e09b1e5f23 Mon Sep 17 00:00:00 2001`
			`From: liuxu <liuxu156@huawei.com>`
			`Date: Fri, 7 Feb 2025 11:43:21 +0800`
			`Subject: [PATCH 185/198] sandbox:sandboxer code isolation`

			`Signed-off-by: liuxu <liuxu156@huawei.com>`
			`---`
			`.../modules/service/service_container.c \| 37 ++++++++-----------`
			`src/daemon/sandbox/sandbox.cc \| 10 ++++-`
			`src/daemon/sandbox/sandbox.h \| 6 ++-`
			`src/daemon/sandbox/sandbox_ops.cc \| 2 +`
			`src/daemon/sandbox/sandbox_ops.h \| 2 +`
			`.../sandbox/{ => sandboxer}/sandbox_task.cc \| 0`
			`.../sandbox/{ => sandboxer}/sandbox_task.h \| 0`
			`7 files changed, 33 insertions(+), 24 deletions(-)`
			`rename src/daemon/sandbox/{ => sandboxer}/sandbox_task.cc (100%)`
			`rename src/daemon/sandbox/{ => sandboxer}/sandbox_task.h (100%)`

			`diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c`
			`index 250e8299..18104781 100644`
			`--- a/src/daemon/modules/service/service_container.c`
			`+++ b/src/daemon/modules/service/service_container.c`
			`@@ -780,6 +780,9 @@ static int do_start_container(container_t cont, const char console_fifos[], bo`
			`oci_runtime_spec *oci_spec = NULL;`
			`rt_create_params_t create_params = { 0 };`
			`rt_start_params_t start_params = { 0 };`
			`+#ifdef ENABLE_SANDBOXER`
			`+ int prepare_container_ret = -1;`
			`+#endif`

			`nret = snprintf(bundle, sizeof(bundle), "%s/%s", cont->root_path, id);`
			`if (nret < 0 \|\| (size_t)nret >= sizeof(bundle)) {`
			`@@ -904,7 +907,7 @@ static int do_start_container(container_t cont, const char console_fifos[], bo`
			`}`
			`#endif`

			`-#ifdef ENABLE_CRI_API_V1`
			`+#ifdef ENABLE_SANDBOXER`
			`if (cont->common_config->sandbox_info != NULL &&`
			`sandbox_prepare_container(cont->common_config,`
			`oci_spec, console_fifos, tty) != 0) {`
			`@@ -912,6 +915,7 @@ static int do_start_container(container_t cont, const char console_fifos[], bo`
			`ret = -1;`
			`goto close_exit_fd;`
			`}`
			`+ prepare_container_ret = 0;`
			`#endif`

			`create_params.bundle = bundle;`
			`@@ -935,11 +939,7 @@ static int do_start_container(container_t cont, const char console_fifos[], bo`

			`if (runtime_create(id, runtime, &create_params) != 0) {`
			`ret = -1;`
			`-#ifdef ENABLE_CRI_API_V1`
			`- goto clean_prepare_container;`
			`-#else`
			`goto close_exit_fd;`
			`-#endif`
			`}`

			`start_params.rootpath = cont->root_path;`
			`@@ -962,32 +962,25 @@ static int do_start_container(container_t cont, const char console_fifos[], bo`
			`if (do_post_start_on_success(cont, exit_fifo_fd, exit_fifo, pid_info) != 0) {`
			`ERROR("Failed to do post start on runtime start success");`
			`ret = -1;`
			`-#ifdef ENABLE_CRI_API_V1`
			`- goto clean_prepare_container;`
			`-#else`
			`goto close_exit_fd;`
			`-#endif`
			`}`
			`} else {`
			`// wait monitor cleanup cgroup and processes finished`
			`wait_exit_fifo(id, exit_fifo_fd);`
			`-#ifdef ENABLE_CRI_API_V1`
			`- goto clean_prepare_container;`
			`-#else`
			`goto close_exit_fd;`
			`-#endif`
			`}`
			`goto out;`

			`-#ifdef ENABLE_CRI_API_V1`
			`-clean_prepare_container:`
			`- if (cont->common_config->sandbox_info != NULL &&`
			`- sandbox_purge_container(cont->common_config) != 0) {`
			`- ERROR("Failed to remove container %s from sandbox", id);`
			`+close_exit_fd:`
			`+#ifdef ENABLE_SANDBOXER`
			`+ if (prepare_container_ret == 0) {`
			`+ if (cont->common_config->sandbox_info != NULL &&`
			`+ sandbox_purge_container(cont->common_config) != 0) {`
			`+ ERROR("Failed to remove container %s from sandbox", id);`
			`+ }`
			`}`
			`#endif`

			`-close_exit_fd:`
			`close(exit_fifo_fd);`
			`clean_resources_on_failure(cont, engine_log_path, loglevel);`

			`@@ -1689,7 +1682,7 @@ int stop_container(container_t *cont, int timeout, bool force, bool restart)`
			`}`
			`}`

			`-#ifdef ENABLE_CRI_API_V1`
			`+#ifdef ENABLE_SANDBOXER`
			`if (cont->common_config->sandbox_info != NULL &&`
			`sandbox_purge_container(cont->common_config) != 0) {`
			`ERROR("Failed to remove container %s from sandbox", id);`
			`@@ -2159,7 +2152,7 @@ static int do_exec_container(const container_t cont, const char runtime, char`
			`goto out;`
			`}`

			`-#ifdef ENABLE_CRI_API_V1`
			`+#ifdef ENABLE_SANDBOXER`
			`if (cont->common_config->sandbox_info != NULL &&`
			`sandbox_prepare_exec(cont->common_config, request->suffix,`
			`process_spec, (const char **)console_fifos, request->tty) != 0) {`
			`@@ -2283,7 +2276,7 @@ static void exec_container_end(container_exec_response *response, const containe`
			`const char *exec_id, uint32_t cc,`
			`int exit_code, int sync_fd, pthread_t thread_id)`
			`{`
			`-#ifdef ENABLE_CRI_API_V1`
			`+#ifdef ENABLE_SANDBOXER`
			`if (cont->common_config->sandbox_info != NULL &&`
			`sandbox_purge_exec(cont->common_config, exec_id) != 0) {`
			`ERROR("Failed to purge container for exec %s", exec_id);`
			`diff --git a/src/daemon/sandbox/sandbox.cc b/src/daemon/sandbox/sandbox.cc`
			`index d105d71a..d5681d48 100644`
			`--- a/src/daemon/sandbox/sandbox.cc`
			`+++ b/src/daemon/sandbox/sandbox.cc`
			`@@ -494,7 +494,9 @@ auto Sandbox::Load(Errors &error) -> bool`
			`}`

			`LoadNetworkSetting();`
			`+#ifdef ENABLE_SANDBOXER`
			`LoadSandboxTasks();`
			`+#endif`

			`// When the sandbox status acquisition fails or wait fails, the sandbox status is set to not ready,`
			`// and the user decides whether to delete the sandbox.`
			`@@ -583,9 +585,11 @@ void Sandbox::CleanupSandboxDirs()`
			`ERROR("Failed to delete sandbox's root directory %s", m_rootdir.c_str());`
			`}`

			`+#ifdef ENABLE_SANDBOXER`
			`if (util_recursive_rmdir(m_statedir.c_str(), 0) != 0) {`
			`- ERROR("Failed to delete sandbox's state directory %s", m_rootdir.c_str());`
			`+ ERROR("Failed to delete sandbox's state directory %s", m_statedir.c_str());`
			`}`
			`+#endif`
			`}`

			`void Sandbox::PrepareSandboxDirs(Errors &error)`
			`@@ -615,12 +619,14 @@ void Sandbox::PrepareSandboxDirs(Errors &error)`
			`goto out;`
			`}`

			`+#ifdef ENABLE_SANDBOXER`
			`nret = util_mkdir_p(m_statedir.c_str(), TEMP_DIRECTORY_MODE);`
			`if (nret < 0) {`
			`error.Errorf("Unable to create sandbox state directory %s.", m_statedir.c_str());`
			`ERROR("Unable to create sandbox state directory %s.", m_statedir.c_str());`
			`goto out;`
			`}`
			`+#endif`

			`umask(mask);`
			`return;`
			`@@ -1119,6 +1125,7 @@ void Sandbox::FillSandboxMetadata(sandbox_metadata* metadata, Errors &error)`
			`metadata->sandbox_config_json = util_strdup_s(jsonStr.c_str());`
			`}`

			`+#ifdef ENABLE_SANDBOXER`
			`void Sandbox::LoadSandboxTasks()`
			`{`
			`}`
			`@@ -1145,5 +1152,6 @@ auto Sandbox::PurgeExec(const char containerId, const char execId) -> int`
			`{`
			`return 0;`
			`}`
			`+#endif`

			`}`
			`\ No newline at end of file`
			`diff --git a/src/daemon/sandbox/sandbox.h b/src/daemon/sandbox/sandbox.h`
			`index 58d60ecb..3a7b0736 100644`
			`--- a/src/daemon/sandbox/sandbox.h`
			`+++ b/src/daemon/sandbox/sandbox.h`
			`@@ -23,6 +23,9 @@`
			`#include <isula_libutils/container_network_settings.h>`
			`#include <isula_libutils/sandbox_state.h>`
			`#include <isula_libutils/sandbox_metadata.h>`
			`+#ifdef ENABLE_SANDBOXER`
			`+#include <isula_libutils/oci_runtime_spec.h>`
			`+#endif`

			`#include "api_v1.grpc.pb.h"`
			`#include "errors.h"`
			`@@ -30,7 +33,6 @@`
			`#include "controller_manager.h"`
			`#include "cstruct_wrapper.h"`
			`#include "read_write_lock.h"`
			`-#include "sandbox_task.h"`

			`namespace sandbox {`

			`@@ -140,6 +142,7 @@ public:`
			`auto Remove(Errors &error) -> bool;`
			`void Status(runtime::v1::PodSandboxStatus &status);`

			`+#ifdef ENABLE_SANDBOXER`
			`// for sandbox api update`
			`virtual void LoadSandboxTasks();`
			`virtual auto PrepareContainer(const char containerId, const char baseFs,`
			`@@ -149,6 +152,7 @@ public:`
			`defs_process processSpec, const char consoleFifos[]) -> int;`
			`virtual auto PurgeContainer(const char *containerId) -> int;`
			`virtual auto PurgeExec(const char containerId, const char execId) -> int;`
			`+#endif`

			`private:`
			`auto SaveState(Errors &error) -> bool;`
			`diff --git a/src/daemon/sandbox/sandbox_ops.cc b/src/daemon/sandbox/sandbox_ops.cc`
			`index ae881933..cf88c1bd 100644`
			`--- a/src/daemon/sandbox/sandbox_ops.cc`
			`+++ b/src/daemon/sandbox/sandbox_ops.cc`
			`@@ -25,6 +25,7 @@`
			`#include "namespace.h"`
			`#include "utils.h"`

			`+#ifdef ENABLE_SANDBOXER`
			`static inline bool validate_sandbox_info(const container_sandbox_info *sandbox)`
			`{`
			`return (sandbox != NULL && sandbox->sandboxer != NULL &&`
			`@@ -110,6 +111,7 @@ int sandbox_purge_exec(const container_config_v2_common_config *config, const ch`

			`return sandbox->PurgeExec(config->id, exec_id);`
			`}`
			`+#endif /* ENABLE_SANDBOXER */`

			`int sandbox_on_sandbox_exit(const char *sandbox_id, int exit_code)`
			`{`
			`diff --git a/src/daemon/sandbox/sandbox_ops.h b/src/daemon/sandbox/sandbox_ops.h`
			`index 8189efd6..e1309313 100644`
			`--- a/src/daemon/sandbox/sandbox_ops.h`
			`+++ b/src/daemon/sandbox/sandbox_ops.h`
			`@@ -24,6 +24,7 @@`
			`extern "C" {`
			`#endif`

			`+#ifdef ENABLE_SANDBOXER`
			`int sandbox_prepare_container(const container_config_v2_common_config *config,`
			`const oci_runtime_spec *oci_spec,`
			`const char *console_fifos[], bool tty);`
			`@@ -35,6 +36,7 @@ int sandbox_prepare_exec(const container_config_v2_common_config *config,`
			`int sandbox_purge_container(const container_config_v2_common_config *config);`

			`int sandbox_purge_exec(const container_config_v2_common_config config, const char exec_id);`
			`+#endif`

			`int sandbox_on_sandbox_exit(const char *sandbox_id, int exit_code);`

			`diff --git a/src/daemon/sandbox/sandbox_task.cc b/src/daemon/sandbox/sandboxer/sandbox_task.cc`
			`similarity index 100%`
			`rename from src/daemon/sandbox/sandbox_task.cc`
			`rename to src/daemon/sandbox/sandboxer/sandbox_task.cc`
			`diff --git a/src/daemon/sandbox/sandbox_task.h b/src/daemon/sandbox/sandboxer/sandbox_task.h`
			`similarity index 100%`
			`rename from src/daemon/sandbox/sandbox_task.h`
			`rename to src/daemon/sandbox/sandboxer/sandbox_task.h`
			`--`
			`2.34.1`