| .TH MINIJAIL0 "1" "March 2016" "Chromium OS" "User Commands" |
| .SH NAME |
| minijail0 \- sandbox a process |
| .SH SYNOPSIS |
| .B minijail0 |
| [\fIOPTION\fR]... <\fIPROGRAM\fR> [\fIargs\fR]... |
| .SH DESCRIPTION |
| .PP |
| Runs PROGRAM inside a sandbox. |
| .TP |
| \fB-a <table>\fR |
| Run using the alternate syscall table named \fItable\fR. Only available on kernels |
| and architectures that support the \fBPR_ALT_SYSCALL\fR option of \fBprctl\fR(2). |
| .TP |
| \fB-b <src>,<dest>[,<writeable>] |
| Bind-mount \fIsrc\fR into the chroot directory at \fIdest\fR, optionally writeable. |
| The \fIsrc\fR path must be an absolute path. |
| If the destination does not exist, it will be created as a file or directory |
| based on the \fIsrc\fR type. |
| .TP |
| \fB-c <caps>\fR |
| Restrict capabilities to \fIcaps\fR. When used in conjunction with \fB-u\fR and |
| \fB-g\fR, this allows a program to have access to only certain parts of root's |
| default privileges while running as another user and group ID altogether. Note |
| that these capabilities are not inherited by subprocesses of the process given |
| capabilities unless those subprocesses have POSIX file capabilities. See |
| \fBcapabilities\fR(7). |
| .TP |
| \fB-C <dir>\fR |
| Change root (using \fBchroot\fR(2)) to \fIdir\fR. |
| .TP |
| \fB-d\fR, \fB--mount-dev\fR |
| Create a new /dev mount with a minimal set of nodes. Implies \fB-v\fR. |
| Additional nodes can be bound with the \fB-b\fR or \fB-k\fR options. |
| The initial set of nodes are: full null tty urandom zero. |
| Symlinks are also created for: fd ptmx stderr stdin stdout. |
| .TP |
| \fB-e[file]\fR |
| Enter a new network namespace, or if \fIfile\fR is specified, enter an existing |
| network namespace specified by \fIfile\fR which is typically of the form |
| /proc/<pid>/ns/net. |
| .TP |
| \fB-f <file>\fR |
| Write the pid of the jailed process to \fIfile\fR. |
| .TP |
| \fB-g <group>\fR |
| Change groups to \fIgroup\fR, which may be either a group name or a numeric |
| group ID. |
| .TP |
| \fB-G\fR |
| Inherit all the supplementary groups of the user specified with \fB-u\fR. It |
| is an error to use this option without having specified a \fBuser name\fR to |
| \fB-u\fR. |
| .TP |
| \fB-h\fR |
| Print a help message. |
| .TP |
| \fB-H\fR |
| Print a help message detailing supported system call names for seccomp_filter. |
| (Other direct numbers may be specified if minijail0 is not in sync with the |
| host kernel or something like 32/64-bit compatibility issues exist.) |
| .TP |
| \fB-I\fR |
| Run \fIprogram\fR as init (pid 1) inside a new pid namespace (implies \fB-p\fR). |
| .TP |
| \fB-k <src>,<dest>,<type>[,<flags>]\fR |
| Mount \fIsrc\fR, a \fItype\fR filesystem, into the chroot directory at \fIdest\fR, with optional \fIflags\fR. |
| If the mount is not a pseudo filesystem (e.g. proc or sysfs), \fIsrc\fR path |
| must be an absolute path (e.g. \fI/dev/sda1\fR and not \fIsda1\fR). |
| If the destination does not exist, it will be created as a directory. |
| .TP |
| \fB-K\fR |
| Don't mark all existing mounts as MS_PRIVATE. |
| This option is \fBdangerous\fR as it negates most of the functionality of \fB-v\fR. |
| You very likely don't need this. |
| .TP |
| \fB-l\fR |
| Run inside a new IPC namespace. This option makes the program's System V IPC |
| namespace independent. |
| .TP |
| \fB-L\fR |
| Report blocked syscalls to syslog when using seccomp filter. This option will |
| force certain syscalls to be allowed in order to achieve this, depending on the |
| system. |
| .TP |
| \fB-m[<uid> <loweruid> <count>[,<uid> <loweruid> <count>]]\fR |
| Set the uid mapping of a user namespace (implies \fB-pU\fR). Same arguments as |
| \fBnewuidmap\fR(1). Multiple mappings should be separated by ','. With no mapping, |
| map the current uid to root inside the user namespace. |
| .TP |
| \fB-M[<uid> <loweruid> <count>[,<uid> <loweruid> <count>]]\fR |
| Set the gid mapping of a user namespace (implies \fB-pU\fR). Same arguments as |
| \fBnewgidmap\fR(1). Multiple mappings should be separated by ','. With no mapping, |
| map the current gid to root inside the user namespace. |
| .TP |
| \fB-n\fR |
| Set the process's \fIno_new_privs\fR bit. See \fBprctl\fR(2) and the kernel |
| source file \fIDocumentation/prctl/no_new_privs.txt\fR for more info. |
| .TP |
| \fB-N\fR |
| Run inside a new cgroup namespace. This option runs the program with a cgroup |
| view showing the program's cgroup as the root. This is only available on v4.6+ |
| of the Linux kernel. |
| .TP |
| \fB-p\fR |
| Run inside a new PID namespace. This option will make it impossible for the |
| program to see or affect processes that are not its descendants. This implies |
| \fB-v\fR and \fB-r\fR, since otherwise the process can see outside its namespace |
| by inspecting /proc. |
| .TP |
| \fB-P <dir>\fR |
| Set \fIdir\fR as the root fs using \fBpivot_root\fR. Implies \fB-v\fR, not |
| compatible with \fB-C\fR. |
| .TP |
| \fB-r\fR |
| Remount /proc readonly. This implies \fB-v\fR. Remounting /proc readonly means |
| that even if the process has write access to a system config knob in /proc |
| (e.g., in /sys/kernel), it cannot change the value. |
| .TP |
| \fB-R <rlim_type, rlim_cur, rlim_max>\fR |
| Set an rlimit value, see \fBgetrlimit\fR(2) for allowed values. |
| .TP |
| \fB-s\fR |
| Enable \fBseccomp\fR(2) in mode 1, which restricts the child process to a very |
| small set of system calls. |
| You most likely do not want to use this with the seccomp filter mode (\fB-S\fR) |
| as they are completely different (even though they have similar names). |
| .TP |
| \fB-S <arch-specific seccomp_filter policy file>\fR |
| Enable \fBseccomp\fR(2) in mode 13 which restricts the child process to a set of |
| system calls defined in the policy file. Note that system calls often change |
| names based on the architecture or mode. (uname -m is your friend.) |
| .TP |
| \fB-t[size]\fR |
| Mounts a tmpfs filesystem on /tmp. /tmp must exist already (e.g. in the chroot). |
| The filesystem has a default size of "64M", overridden with an optional |
| argument. It has standard /tmp permissions (1777), and is mounted |
| nodev/noexec/nosuid. Implies \fB-v\fR. |
| .TP |
| \fB-T <type>\fR |
| Assume binary's ELF linkage type is \fItype\fR, which must be either 'static' |
| or 'dynamic'. Either setting will prevent minijail0 from manually parsing the |
| ELF header to determine the type. Type 'static' can be used to avoid preload |
| hooking, and will force minijail0 to instead set everything up before the |
| program is executed. Type 'dynamic' will force minijail0 to preload |
| \fIlibminijailpreload.so\fR to setup hooks, but will fail on actually |
| statically-linked binaries. |
| .TP |
| \fB-u <user>\fR |
| Change users to \fIuser\fR, which may be either a user name or a numeric user |
| ID. |
| .TP |
| \fB-U\fR |
| Enter a new user namespace (implies \fB-p\fR). |
| .TP |
| \fB-v\fR |
| Run inside a new VFS namespace. This option makes the program's mountpoints |
| independent of the rest of the system's. |
| .TP |
| \fB-V <file>\fR |
| Enter the VFS namespace specified by \fIfile\fR. |
| .TP |
| \fB-w\fR |
| Create and join a new anonymous session keyring. See \fBkeyrings\fR(7) for more |
| details. |
| .TP |
| \fB-y\fR |
| Keep the current user's supplementary groups. |
| .TP |
| \fB-Y\fR |
| Synchronize seccomp filters across thread group. |
| .TP |
| \fB--uts[=hostname]\fR |
| Create a new UTS/hostname namespace, and optionally set the hostname in the new |
| namespace to \fIhostname\fR. |
| .TP |
| \fB--logging=<system>\fR |
| Use \fIsystem\fR as the logging system. \fIsystem\fR must be one of |
| \fBsyslog\fR (the default) or \fBstderr\fR. |
| .TP |
| \fB--profile <profile>\fR |
| Choose from one of the available sandboxing profiles, which are simple way to |
| get a standardized environment. See the |
| .BR "SANDBOXING PROFILES" |
| section below for the full list of supported values for \fIprofile\fR. |
| .SH SANDBOXING PROFILES |
| The following sandboxing profiles are supported: |
| .TP |
| \fBminimalistic-mountns\fR |
| Set up a minimalistic mount namespace. Equivalent to \fB-v -P /var/empty |
| -b /,/ -b /proc,/proc -t -r --mount-dev\fR. |
| .SH IMPLEMENTATION |
| This program is broken up into two parts: \fBminijail0\fR (the frontend) and a helper |
| library called \fBlibminijailpreload\fR. Some jailings can only be achieved from |
| the process to which they will actually apply - specifically capability use |
| (since capabilities are not inherited to an exec'd process unless the exec'd |
| process has POSIX file capabilities), seccomp (since we can't exec() once we're |
| seccomp'd), and ptrace-disable (which is always cleared on exec()). |
| |
| To this end, \fBlibminijailpreload\fR is forcibly loaded into all |
| dynamically-linked target programs if any of these restrictions are in effect; |
| we pass the specific restrictions in an environment variable which the preloaded |
| library looks for. The forcibly-loaded library then applies the restrictions |
| to the newly-loaded program. |
| |
| .SH AUTHOR |
| The Chromium OS Authors <chromiumos-dev@chromium.org> |
| .SH COPYRIGHT |
| Copyright \(co 2011 The Chromium OS Authors |
| License BSD-like. |
| .SH "SEE ALSO" |
| \fBlibminijail.h\fR \fBminijail0\fR(5) |