minijail0: add chroot support. Support a -C commandline option to chroot(), and a -b commandline option to bind-mount paths into the chroot from outside. BUG=chromium-os:21165 TESTED_ON=kaen TEST=None yet Change-Id: Ia6a7a4498968a4bc6a12f8274fdb8c4be9d23ca4 Signed-off-by: Elly Jones <ellyjones@chromium.org> Reviewed-on: http://gerrit.chromium.org/gerrit/8661 Reviewed-by: Kees Cook <keescook@chromium.org>

commit: 51a5b6c7f464100cea4c79f737fab2e582904135 [log] [tgz]
author: Elly Jones <ellyjones@chromium.org> Wed Oct 12 19:09:26 2011 -0400
committer: Elly Jones <ellyjones@chromium.org> Mon Oct 17 11:14:13 2011 -0700
tree: 918734a4b09022775da1fc2f68815f8f7a0d28fd
parent: e1749eb93a119bf03b5b033d74c541dbb45be00e [diff] [blame]
diff --git a/minijail0.1 b/minijail0.1
index 6aedb81..72f569c 100644
--- a/minijail0.1
+++ b/minijail0.1

@@ -8,8 +8,15 @@
 .PP
 Runs PROGRAM inside a sandbox.
 .TP
+\fB-b <src>,<dest>[,<writeable>]
+Bind-mount <src> into the chroot directory at <dest>, optionally writeable.
+.TP
 \fB-c <caps>\fR
 Restrict capabilities to \fIcaps\fR. When used in conjunction with \fB-u\fR and
+.TP
+\fB-C <dir>\fR
+Change root (using chroot(2)) to <dir>.
+.TP
 \fB-g\fR, this allows a program to have access to only certain parts of root's
 default privileges while running as another user and group ID altogether. Note
 that these capabilities are not inherited by subprocesses of the process given
commit	51a5b6c7f464100cea4c79f737fab2e582904135	[log] [tgz]
author	Elly Jones <ellyjones@chromium.org>	Wed Oct 12 19:09:26 2011 -0400
committer	Elly Jones <ellyjones@chromium.org>	Mon Oct 17 11:14:13 2011 -0700
tree	918734a4b09022775da1fc2f68815f8f7a0d28fd
parent	e1749eb93a119bf03b5b033d74c541dbb45be00e [diff] [blame]