Add the --profile flag
This flag allows the caller to specify a sandboxing profile, which sets
various flags commonly used together.
It also adds the 'setup-mount' profile, which sets up a minimalistic
mount namespace rooted at /var/empty with /dev, /tmp, and /proc mounted.
This should make creating containers that don't hold to unnecessary
mounts even simpler.
Bug: 65450844
Test: minijail0 --profile=minimalistic-mountns -p -- /bin/mount
Change-Id: I0b566ebf8dcf2644f16b66a7bb0cf4268a983a46
diff --git a/minijail0.1 b/minijail0.1
index d37080b..9d24422 100644
--- a/minijail0.1
+++ b/minijail0.1
@@ -177,6 +177,18 @@
\fB--logging=<system>\fR
Use \fIsystem\fR as the logging system. \fIsystem\fR must be one of
\fBsyslog\fR (the default) or \fBstderr\fR.
+.TP
+\fB--profile <profile>\fR
+Choose from one of the available sandboxing profiles, which are simple way to
+get a standardized environment. See the
+.BR "SANDBOXING PROFILES"
+section below for the full list of supported values for \fIprofile\fR.
+.SH SANDBOXING PROFILES
+The following sandboxing profiles are supported:
+.TP
+\fBminimalistic-mountns\fR
+Set up a minimalistic mount namespace. Equivalent to \fB-v -P /var/empty
+-b /,/ -b /proc,/proc -t -r --mount-dev\fR.
.SH IMPLEMENTATION
This program is broken up into two parts: \fBminijail0\fR (the frontend) and a helper
library called \fBlibminijailpreload\fR. Some jailings can only be achieved from