Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / minijail / 31b02653c2560f8331934e879263beda44c6cc76
commit31b02653c2560f8331934e879263beda44c6cc76[log] [tgz]
authorLuis Hector Chavez <lhchavez@google.com>Mon Jul 09 14:14:49 2018 -0700
committerLuis Hector Chavez <lhchavez@google.com>Tue Jul 10 10:03:49 2018 -0700
treef85a9ff43dbe382bab0fcaf3f95593165c1e125b
parentcc559e83a56630c7e8f7c725e9462864cb4418d0 [diff]
minijail: Preserve the die() message in the stack

This change allocates a buffer in the stack where the die() message will
be formatted into. This causes the minidump to contain whatever crash
message was emitted to be captured in the file. The default behavior in
glibc's vsyslog(3) is to allocate a buffer somewhere in the heap, and
that's why we don't currently have these messages. bionic's vsyslog(3)
implementation does allocate a stack buffer, so we'll have N+1
redundancy of the log message.

Bug: 111271997
Test: Inspected the generated code, was convinced that the minidump
      should contain the crash message.
Change-Id: I4577c311d0d95bf44d90febfec09fbd06b9e35d1
1 file changed
tree: f85a9ff43dbe382bab0fcaf3f95593165c1e125b
  1. examples/
  2. linux-x86/
  3. test/
  4. tools/
  5. .clang-format
  6. .gitignore
  7. Android.bp
  8. arch.h
  9. bpf.c
  10. bpf.h
  11. CleanSpec.mk
  12. common.mk
  13. CPPLINT.cfg
  14. elfparse.c
  15. elfparse.h
  16. gen_constants-inl.h
  17. gen_constants.c
  18. gen_constants.sh
  19. gen_syscalls.c
  20. gen_syscalls.sh
  21. get_googletest.sh
  22. HACKING.md
  23. libconstants.h
  24. libminijail-private.h
  25. libminijail.c
  26. libminijail.h
  27. libminijail.pc.in
  28. libminijail_unittest.cc
  29. libminijailpreload.c
  30. libsyscalls.h
  31. LICENSE
  32. Makefile
  33. minijail0.1
  34. minijail0.5
  35. minijail0.c
  36. minijail0_cli.c
  37. minijail0_cli.h
  38. minijail0_cli_unittest.cc
  39. MODULE_LICENSE_BSD
  40. navbar.md
  41. NOTICE
  42. OWNERS
  43. parse_seccomp_policy.cc
  44. platform2_preinstall.sh
  45. PRESUBMIT.cfg
  46. PREUPLOAD.cfg
  47. README.md
  48. RELEASE.md
  49. scoped_minijail.h
  50. signal_handler.c
  51. signal_handler.h
  52. syscall_filter.c
  53. syscall_filter.h
  54. syscall_filter_unittest.cc
  55. syscall_filter_unittest_macros.h
  56. syscall_wrapper.c
  57. syscall_wrapper.h
  58. system.c
  59. system.h
  60. system_unittest.cc
  61. testrunner.cc
  62. util.c
  63. util.h
  64. util_unittest.cc
README.md

Minijail

The Minijail homepage & main repo is https://android.googlesource.com/platform/external/minijail/.

There might be other copies floating around, but this is the official one!

What is it?

Minijail is a sandboxing and containment tool used in Chrome OS, and Android. It provides an executable that can be used to launch and sandbox other programs, and a library that can be used by code to sandbox itself.

Getting The Code

You're one git clone away from happiness.

$ git clone https://android.googlesource.com/platform/external/minijail
$ cd minijail

Releases are tagged as linux-vXX: https://android.googlesource.com/platform/external/minijail/+refs

Building

See the HACKING.md document for more details.

Release Process

See the RELEASE.md document for more details.

Contact

We've got a couple of contact points.

Talks and Presentations

The following talk serves as a good introduction to Minijail and how it can be used.

Video, slides.

Example Usage

The Chromium OS project has a comprehensive sandboxing document that is largely based on Minijail.

After you play with the simple examples below, you should check that out.

Change root to any user

# id
uid=0(root) gid=0(root) groups=0(root),128(pkcs11)
# minijail0 -u jorgelo -g 5000 /usr/bin/id
uid=72178(jorgelo) gid=5000(eng) groups=5000(eng)

Drop root while keeping some capabilities

# minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status
Name: cat
...
CapInh: 0000000000003000
CapPrm: 0000000000003000
CapEff: 0000000000003000
CapBnd: 0000000000003000