blob: dbec74dde525c5c8d909dd8c802a19699fc5d286 [file] [log] [blame]
.TH MINIJAIL0 "1" "January 2012" "Chromium OS" "User Commands"
.SH NAME
minijail0 \- sandbox a process
.SH SYNOPSIS
.B minijail0
[\fIOPTION\fR]... <\fIprogram\fR> [\fIargs\fR]...
.SH DESCRIPTION
.PP
Runs PROGRAM inside a sandbox.
.TP
\fB-a <table>\fR
Run using the alternate syscall table named <table>. Only available on kernels
and architectures that support the PR_ALT_SYSCALL option of prctl(2).
.TP
\fB-b <src>,<dest>[,<writeable>]
Bind-mount <src> into the chroot directory at <dest>, optionally writeable.
.TP
\fB-c <caps>\fR
Restrict capabilities to \fIcaps\fR. When used in conjunction with \fB-u\fR and
\fB-g\fR, this allows a program to have access to only certain parts of root's
default privileges while running as another user and group ID altogether. Note
that these capabilities are not inherited by subprocesses of the process given
capabilities unless those subprocesses have POSIX file capabilities. See
\fBcapabilities\fR(7).
.TP
\fB-C <dir>\fR
Change root (using chroot(2)) to <dir>.
.TP
\fB-e[file]\fR
Enter a new network namespace, or if \fIfile\fR is specified, Enter an existing
network namespace specified by \fIfile\fR which is typically of the form
/proc/<pid>/ns/net.
.TP
\fB-f <file>\fR
Write the pid of the jailed process to \fIfile\fR.
.TP
\fB-t\fR
Mounts a tmpfs filesystem on /tmp. /tmp must exist in the chroot.
This must be used with -C. The default filesystem has a max size of 128M
and has standard /tmp permissions (777).
.TP
\fB-G\fR
Inherit all the supplementary groups of the user specified with \fB-u\fR. It
is an error to use this option without having specified a \fBuser name\fR to
\fB-u\fR.
.TP
\fB-g <group>\fR
Change groups to \fIgroup\fR, which may be either a group name or a numeric
group ID.
.TP
\fB-h\fR
Print a help message.
.TP
\fB-H\fR
Print a help message detailing supported system call names for seccomp_filter.
(Other direct numbers may be specified if minijail0 is not in sync with the
host kernel or something like 32/64-bit compatibility issues exist.)
.TP
\fB-l\fR
Run inside a new IPC namespace. This option makes the program's System V IPC
namespace independent.
.TP
\fB-m "<uid> <loweruid> <count>[,<uid> <loweruid> <count>]"\fR
Set the uid mapping of a user namespace (implies \fB-pU\fR). Same arguments as
\fBnewuidmap(1)\fR. Multiple mappings should be separated by ','.
.TP
\fB-M "<uid> <loweruid> <count>[,<uid> <loweruid> <count>]"\fR
Set the gid mapping of a user namespace (implies \fB-pU\fR). Same arguments as
\fBnewgidmap(1)\fR. Multiple mappings should be separated by ','.
.TP
\fB-p\fR
Run inside a new PID namespace. This option will make it impossible for the
program to see or affect processes that are not its descendants. This implies
\fB-v\fR and \fB-r\fR, since otherwise the process can see outside its namespace
by inspecting /proc.
.TP
\fB-P <dir>\fR
Set \fIdir\fR as the root fs using \fBpivot_root\fR. Implies \fB-v\fR, not
compatible with \fB-C\fR.
.TP
\fB-r\fR
Remount /proc readonly. This implies \fB-v\fR. Remounting /proc readonly means
that even if the process has write access to a system config knob in /proc
(e.g., in /sys/kernel), it cannot change the value.
.TP
\fB-s\fR
Enable seccomp(2) in mode 1, which restricts the child process to a very small
set of system calls.
.TP
\fB-S <arch-specific seccomp_filter policy file>\fR
Enable seccomp(2) in mode 13 which restricts the child process to a set of
system calls defined in the policy file. Note that system calls often change
names based on the architecture or mode. (uname -m is your friend.)
.TP
\fB-u <user>\fR
Change users to \fIuser\fR, which may be either a user name or a numeric user
ID.
.TP
\fB-v\fR
Run inside a new VFS namespace. This option makes the program's mountpoints
independent of the rest of the system's.
.TP
\fB-V <file>\fR
Enter the VFS namespace specified by \fIfile\fR.
.SH IMPLEMENTATION
This program is broken up into two parts: \fBminijail0\fR (the frontend) and a helper
library called \fBlibminijailpreload\fR. Some jailings can only be achieved from
the process to which they will actually apply - specifically capability use
(since capabilities are not inherited to an exec'd process unless the exec'd
process has POSIX file capabilities), seccomp (since we can't exec() once we're
seccomp'd), and ptrace-disable (which is always cleared on exec().
To this end, \fBlibminijailpreload\fR is forcibly loaded into all
dynamically-linked target programs if any of these restrictions are in effect;
we pass the specific restrictions in an environment variable which the preloaded
library looks for. The forcibly-loaded library then applies the restrictions
to the newly-loaded program.
.SH AUTHOR
Written by Elly Jones (ellyjones@chromium.org)
.SH COPYRIGHT
Copyright \(co 2011 The Chromium OS Authors
License BSD-like.
.SH "SEE ALSO"
\fBlibminijail.h\fR \fBminijail0(5)\fR