minijail0.1 - platform/external/minijail - Gitiles

 .TH MINIJAIL0 "1" "January 2012" "Chromium OS" "User Commands"
 .SH NAME
 minijail0 \- sandbox a process
 .SH SYNOPSIS
 .B minijail0
 [\fIOPTION\fR]... <\fIprogram\fR> [\fIargs\fR]...
 .SH DESCRIPTION
 .PP
 Runs PROGRAM inside a sandbox.
 .TP
 \fB-b <src>,<dest>[,<writeable>]
 Bind-mount <src> into the chroot directory at <dest>, optionally writeable.
 .TP
 \fB-c <caps>\fR
 Restrict capabilities to \fIcaps\fR. When used in conjunction with \fB-u\fR and
 .TP
 \fB-C <dir>\fR
 Change root (using chroot(2)) to <dir>.
 .TP
 \fB-t\fR
 Mounts a tmpfs filesystem on /tmp. /tmp must exist in the chroot.
 This must be used with -C. The default filesystem has a max size of 128M
 and has standard /tmp permissions (777).
 .TP
 \fB-g\fR, this allows a program to have access to only certain parts of root's
 default privileges while running as another user and group ID altogether. Note
 that these capabilities are not inherited by subprocesses of the process given
 capabilities unless those subprocesses have POSIX file capabilities. See
 \fBcapabilities\fR(7).
 .TP
 \fB-G\fR
 Inherit all the supplementary groups of the user specified with \fB-u\fR. It
 is an error to use this option without having specified a \fBuser name\fR to
 \fB-u\fR.
 .TP
 \fB-g <group>\fR
 Change groups to \fIgroup\fR, which may be either a group name or a numeric
 group ID.
 .TP
 \fB-h\fR
 Print a help message.
 .TP
 \fB-H\fR
 Print a help message detailing supported system call names for seccomp_filter.
 (Other direct numbers may be specified if minijail0 is not in sync with the
  host kernel or something like 32/64-bit compatibility issues exist.)
 .TP
 \fB-p\fR
 Run inside a new PID namespace. This option will make it impossible for the
 program to see or affect processes that are not its descendants. This implies
 \fB-v\fR and \fB-r\fR, since otherwise the process can see outside its namespace
 by inspecting /proc.
 .TP
 \fB-r\fR
 Remount certain filesystems readonly. Currently this only remounts /proc. This
 implies \fB-v\fR. Remounting /proc readonly means that even if the process has
 write access to a system config knob in /proc (e.g., in /sys/kernel), it cannot
 change the value.
 .TP
 \fB-s\fR
 Enable seccomp(2) in mode 1, which restricts the child process to a very small
 set of system calls.
 .TP
 \fB-S <arch-specific seccomp_filter policy file>\fR
 Enable seccomp(2) in mode 13 which restricts the child process to a set of
 system calls defined in the policy file.  Note that system calls often change
 names based on the architecture or mode. (uname -m is your friend.)
 .TP
 \fB-u <user>\fR
 Change users to \fIuser\fR, which may be either a user name or a numeric user
 ID.
 .TP
 \fB-v\fR
 Run inside a new VFS namespace. This option makes the program's mountpoints
 independent of the rest of the system's.
 .SH IMPLEMENTATION
 This program is broken up into two parts: \fBminijail0\fR (the frontend) and a helper
 library called \fBlibminijailpreload\fR. Some jailings can only be achieved from
 the process to which they will actually apply - specifically capability use
 (since capabilities are not inherited to an exec'd process unless the exec'd
 process has POSIX file capabilities), seccomp (since we can't exec() once we're
 seccomp'd), and ptrace-disable (which is always cleared on exec().

 To this end, \fBlibminijailpreload\fR is forcibly loaded into all
 dynamically-linked target programs if any of these restrictions are in effect;
 we pass the specific restrictions in an environment variable which the preloaded
 library looks for. The forcibly-loaded library then applies the restrictions
 to the newly-loaded program.
 .SH AUTHOR
 Written by Elly Jones (ellyjones@chromium.org)
 .SH COPYRIGHT
 Copyright \(co 2011 The Chromium OS Authors
 License BSD-like.
 .SH "SEE ALSO"
 \fBlibminijail.h\fR \fBminijail0(5)\fR
	.TH MINIJAIL0 "1" "January 2012" "Chromium OS" "User Commands"
	.SH NAME
	minijail0 \- sandbox a process
	.SH SYNOPSIS
	.B minijail0
	[\fIOPTION\fR]... <\fIprogram\fR> [\fIargs\fR]...
	.SH DESCRIPTION
	.PP
	Runs PROGRAM inside a sandbox.
	.TP
	\fB-b <src>,<dest>[,<writeable>]
	Bind-mount <src> into the chroot directory at <dest>, optionally writeable.
	.TP
	\fB-c <caps>\fR
	Restrict capabilities to \fIcaps\fR. When used in conjunction with \fB-u\fR and
	.TP
	\fB-C <dir>\fR
	Change root (using chroot(2)) to <dir>.
	.TP
	\fB-t\fR
	Mounts a tmpfs filesystem on /tmp. /tmp must exist in the chroot.
	This must be used with -C. The default filesystem has a max size of 128M
	and has standard /tmp permissions (777).
	.TP
	\fB-g\fR, this allows a program to have access to only certain parts of root's
	default privileges while running as another user and group ID altogether. Note
	that these capabilities are not inherited by subprocesses of the process given
	capabilities unless those subprocesses have POSIX file capabilities. See
	\fBcapabilities\fR(7).
	.TP
	\fB-G\fR
	Inherit all the supplementary groups of the user specified with \fB-u\fR. It
	is an error to use this option without having specified a \fBuser name\fR to
	\fB-u\fR.
	.TP
	\fB-g <group>\fR
	Change groups to \fIgroup\fR, which may be either a group name or a numeric
	group ID.
	.TP
	\fB-h\fR
	Print a help message.
	.TP
	\fB-H\fR
	Print a help message detailing supported system call names for seccomp_filter.
	(Other direct numbers may be specified if minijail0 is not in sync with the
	host kernel or something like 32/64-bit compatibility issues exist.)
	.TP
	\fB-p\fR
	Run inside a new PID namespace. This option will make it impossible for the
	program to see or affect processes that are not its descendants. This implies
	\fB-v\fR and \fB-r\fR, since otherwise the process can see outside its namespace
	by inspecting /proc.
	.TP
	\fB-r\fR
	Remount certain filesystems readonly. Currently this only remounts /proc. This
	implies \fB-v\fR. Remounting /proc readonly means that even if the process has
	write access to a system config knob in /proc (e.g., in /sys/kernel), it cannot
	change the value.
	.TP
	\fB-s\fR
	Enable seccomp(2) in mode 1, which restricts the child process to a very small
	set of system calls.
	.TP
	\fB-S <arch-specific seccomp_filter policy file>\fR
	Enable seccomp(2) in mode 13 which restricts the child process to a set of
	system calls defined in the policy file. Note that system calls often change
	names based on the architecture or mode. (uname -m is your friend.)
	.TP
	\fB-u <user>\fR
	Change users to \fIuser\fR, which may be either a user name or a numeric user
	ID.
	.TP
	\fB-v\fR
	Run inside a new VFS namespace. This option makes the program's mountpoints
	independent of the rest of the system's.
	.SH IMPLEMENTATION
	This program is broken up into two parts: \fBminijail0\fR (the frontend) and a helper
	library called \fBlibminijailpreload\fR. Some jailings can only be achieved from
	the process to which they will actually apply - specifically capability use
	(since capabilities are not inherited to an exec'd process unless the exec'd
	process has POSIX file capabilities), seccomp (since we can't exec() once we're
	seccomp'd), and ptrace-disable (which is always cleared on exec().

	To this end, \fBlibminijailpreload\fR is forcibly loaded into all
	dynamically-linked target programs if any of these restrictions are in effect;
	we pass the specific restrictions in an environment variable which the preloaded
	library looks for. The forcibly-loaded library then applies the restrictions
	to the newly-loaded program.
	.SH AUTHOR
	Written by Elly Jones (ellyjones@chromium.org)
	.SH COPYRIGHT
	Copyright \(co 2011 The Chromium OS Authors
	License BSD-like.
	.SH "SEE ALSO"
	\fBlibminijail.h\fR \fBminijail0(5)\fR