Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / minijail / 320c4fc6aadf837b9d032ab4e37451458c0e6628
commit320c4fc6aadf837b9d032ab4e37451458c0e6628[log] [tgz]
authorJorge Lucangeli Obes <jorgelo@google.com>Thu Dec 10 10:38:30 2020 -0500
committerTreehugger Robot <treehugger-gerrit@google.com>Thu Dec 10 19:42:44 2020 +0000
tree9c61132d11322772a0cd5ad3b8784463c438bb70
parent31adc6c9a4dbfd049a8648d1e09e2886e686034a [diff]
Stop attempting to unmount /proc in the user namespace case.

This will never work, because in the user namespace case the new mount
namespace is less privileged than the parent mount namespace and
therefore mounts coming from the parent namespace (like /proc) cannot
be piecemeal unmounted: the are locked together.

Instead of printing a warning message every time, elide the warning
message and add a longer explanation to the code. In the future we can
consider fixing this by first forking off a new mount namespace, doing
the /proc remount, and then entering new user+mount namespaces, but
this is not high priority.

Bug: None
Test: ./minijail0.sh -U -m -M -- /bin/id no longer prints the warning.
Test: sudo ./minijail0.sh -pv -- /bin/mount shows one RO /proc mount.

Change-Id: I364033be71dc69ae4051f377a8491c9e222bc900
1 file changed
tree: 9c61132d11322772a0cd5ad3b8784463c438bb70
  1. .github/
  2. examples/
  3. linux-x86/
  4. rust/
  5. test/
  6. tools/
  7. .clang-format
  8. .gitignore
  9. Android.bp
  10. arch.h
  11. bpf.c
  12. bpf.h
  13. CleanSpec.mk
  14. common.mk
  15. CPPLINT.cfg
  16. dump_constants.cc
  17. elfparse.c
  18. elfparse.h
  19. gen_constants-inl.h
  20. gen_constants.c
  21. gen_constants.sh
  22. gen_syscalls-inl.h
  23. gen_syscalls.c
  24. gen_syscalls.sh
  25. get_googletest.sh
  26. HACKING.md
  27. libconstants.h
  28. libminijail-private.h
  29. libminijail.c
  30. libminijail.h
  31. libminijail.pc.in
  32. libminijail_unittest.cc
  33. libminijailpreload.c
  34. libsyscalls.h
  35. LICENSE
  36. Makefile
  37. METADATA
  38. minijail0.1
  39. minijail0.5
  40. minijail0.c
  41. minijail0.sh
  42. minijail0_cli.c
  43. minijail0_cli.h
  44. minijail0_cli_unittest.cc
  45. MODULE_LICENSE_BSD
  46. navbar.md
  47. NOTICE
  48. OWNERS
  49. OWNERS.rust
  50. parse_seccomp_policy.cc
  51. platform2_preinstall.sh
  52. PRESUBMIT.cfg
  53. PREUPLOAD.cfg
  54. README.md
  55. RELEASE.md
  56. scoped_minijail.h
  57. setup.py
  58. signal_handler.c
  59. signal_handler.h
  60. syscall_filter.c
  61. syscall_filter.h
  62. syscall_filter_unittest.cc
  63. syscall_filter_unittest_macros.h
  64. syscall_wrapper.c
  65. syscall_wrapper.h
  66. system.c
  67. system.h
  68. system_unittest.cc
  69. TEST_MAPPING
  70. testrunner.cc
  71. util.c
  72. util.h
  73. util_unittest.cc
README.md

Minijail

The Minijail homepage is https://google.github.io/minijail/.

The main source repo is https://android.googlesource.com/platform/external/minijail/.

There might be other copies floating around, but this is the official one!

What is it?

Minijail is a sandboxing and containment tool used in Chrome OS and Android. It provides an executable that can be used to launch and sandbox other programs, and a library that can be used by code to sandbox itself.

Getting the code

You're one git clone away from happiness.

$ git clone https://android.googlesource.com/platform/external/minijail
$ cd minijail

Releases are tagged as linux-vXX: https://android.googlesource.com/platform/external/minijail/+refs

Building

See the HACKING.md document for more details.

Release process

See the RELEASE.md document for more details.

Additional tools

See the tools/README.md document for more details.

Contact

We've got a couple of contact points.

Talks and presentations

The following talk serves as a good introduction to Minijail and how it can be used.

Video, slides.

Example usage

The Chromium OS project has a comprehensive sandboxing document that is largely based on Minijail.

After you play with the simple examples below, you should check that out.

Change root to any user

# id
uid=0(root) gid=0(root) groups=0(root),128(pkcs11)
# minijail0 -u jorgelo -g 5000 /usr/bin/id
uid=72178(jorgelo) gid=5000(eng) groups=5000(eng)

Drop root while keeping some capabilities

# minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status
Name: cat
...
CapInh: 0000000000003000
CapPrm: 0000000000003000
CapEff: 0000000000003000
CapBnd: 0000000000003000