| commit | cf48b4411d34a1f01e9a403e63472fd51a2c3055 | [log] [tgz] |
|---|---|---|
| author | Mike Frysinger <vapier@google.com> | Tue Aug 07 01:59:51 2018 -0400 |
| committer | Treehugger Robot <treehugger-gerrit@google.com> | Thu Aug 23 19:13:37 2018 +0000 |
| tree | 92054aeb201e4e27cf1eb4561164a18ad2b68ab7 | |
| parent | 825828c2757c4cbba7b1e972d0e8d2670e638672 [diff] |
drop syscall filter line length check This check isn't here due to any technical limitation in the code itself, so drop it. Some filters (like ioctl) can actually be quite long and it's not feasible (currently) to shorten them. Bug: None Test: unittests pass Change-Id: I77bfa96ada9821116d3686be0ed6b77e685fdeff
The Minijail homepage and main repo is https://android.googlesource.com/platform/external/minijail/.
There might be other copies floating around, but this is the official one!
Minijail is a sandboxing and containment tool used in Chrome OS and Android. It provides an executable that can be used to launch and sandbox other programs, and a library that can be used by code to sandbox itself.
You're one git clone away from happiness.
$ git clone https://android.googlesource.com/platform/external/minijail $ cd minijail
Releases are tagged as linux-vXX: https://android.googlesource.com/platform/external/minijail/+refs
See the HACKING.md document for more details.
See the RELEASE.md document for more details.
We've got a couple of contact points.
The following talk serves as a good introduction to Minijail and how it can be used.
The Chromium OS project has a comprehensive sandboxing document that is largely based on Minijail.
After you play with the simple examples below, you should check that out.
# id uid=0(root) gid=0(root) groups=0(root),128(pkcs11) # minijail0 -u jorgelo -g 5000 /usr/bin/id uid=72178(jorgelo) gid=5000(eng) groups=5000(eng)
# minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status Name: cat ... CapInh: 0000000000003000 CapPrm: 0000000000003000 CapEff: 0000000000003000 CapBnd: 0000000000003000