Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / minijail / 0bacbf8a35a2788fef8f6ca467eabe2cdc9c70a7
commit0bacbf8a35a2788fef8f6ca467eabe2cdc9c70a7[log] [tgz]
authorLuis Hector Chavez <lhchavez@google.com>Tue Jul 10 20:06:55 2018 -0700
committerLuis Hector Chavez <lhchavez@google.com>Wed Jul 11 10:23:26 2018 -0700
treeab172d01bb0b95fa2ae6b556cbb89262c45847a6
parent6bdebb0e92a9668da28130ae5aad3a7eaefb8299 [diff]
minijail: Copy the mount flags from source when bind-mounting

This change makes all bindmounts copy the mount flags from the source
path if a remount is issued. It also fixes a bug where ro mounts could
never become rw.

Bug: 111325710
Test: make tests
Test: Repro scenario in https://crbug.com/862171
Change-Id: Ia87ea2933f1ab1b8a9fd2efd6f832c51a5a8f7a2
4 files changed
tree: ab172d01bb0b95fa2ae6b556cbb89262c45847a6
  1. examples/
  2. linux-x86/
  3. test/
  4. tools/
  5. .clang-format
  6. .gitignore
  7. Android.bp
  8. arch.h
  9. bpf.c
  10. bpf.h
  11. CleanSpec.mk
  12. common.mk
  13. CPPLINT.cfg
  14. elfparse.c
  15. elfparse.h
  16. gen_constants-inl.h
  17. gen_constants.c
  18. gen_constants.sh
  19. gen_syscalls.c
  20. gen_syscalls.sh
  21. get_googletest.sh
  22. HACKING.md
  23. libconstants.h
  24. libminijail-private.h
  25. libminijail.c
  26. libminijail.h
  27. libminijail.pc.in
  28. libminijail_unittest.cc
  29. libminijailpreload.c
  30. libsyscalls.h
  31. LICENSE
  32. Makefile
  33. minijail0.1
  34. minijail0.5
  35. minijail0.c
  36. minijail0_cli.c
  37. minijail0_cli.h
  38. minijail0_cli_unittest.cc
  39. MODULE_LICENSE_BSD
  40. navbar.md
  41. NOTICE
  42. OWNERS
  43. parse_seccomp_policy.cc
  44. platform2_preinstall.sh
  45. PRESUBMIT.cfg
  46. PREUPLOAD.cfg
  47. README.md
  48. RELEASE.md
  49. scoped_minijail.h
  50. signal_handler.c
  51. signal_handler.h
  52. syscall_filter.c
  53. syscall_filter.h
  54. syscall_filter_unittest.cc
  55. syscall_filter_unittest_macros.h
  56. syscall_wrapper.c
  57. syscall_wrapper.h
  58. system.c
  59. system.h
  60. system_unittest.cc
  61. testrunner.cc
  62. util.c
  63. util.h
  64. util_unittest.cc
README.md

Minijail

The Minijail homepage & main repo is https://android.googlesource.com/platform/external/minijail/.

There might be other copies floating around, but this is the official one!

What is it?

Minijail is a sandboxing and containment tool used in Chrome OS, and Android. It provides an executable that can be used to launch and sandbox other programs, and a library that can be used by code to sandbox itself.

Getting The Code

You're one git clone away from happiness.

$ git clone https://android.googlesource.com/platform/external/minijail
$ cd minijail

Releases are tagged as linux-vXX: https://android.googlesource.com/platform/external/minijail/+refs

Building

See the HACKING.md document for more details.

Release Process

See the RELEASE.md document for more details.

Contact

We've got a couple of contact points.

Talks and Presentations

The following talk serves as a good introduction to Minijail and how it can be used.

Video, slides.

Example Usage

The Chromium OS project has a comprehensive sandboxing document that is largely based on Minijail.

After you play with the simple examples below, you should check that out.

Change root to any user

# id
uid=0(root) gid=0(root) groups=0(root),128(pkcs11)
# minijail0 -u jorgelo -g 5000 /usr/bin/id
uid=72178(jorgelo) gid=5000(eng) groups=5000(eng)

Drop root while keeping some capabilities

# minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status
Name: cat
...
CapInh: 0000000000003000
CapPrm: 0000000000003000
CapEff: 0000000000003000
CapBnd: 0000000000003000