blob: c8177085d5096e30a89e265d2e37c3e25605b25f [file] [log] [blame]
Jorge Lucangeli Obesa521bee2016-03-03 13:47:57 -08001.TH MINIJAIL0 "1" "March 2016" "Chromium OS" "User Commands"
Elly Jonescd7a9042011-07-22 13:56:51 -04002.SH NAME
3minijail0 \- sandbox a process
4.SH SYNOPSIS
5.B minijail0
Jorge Lucangeli Obes13650612016-09-02 11:27:29 -04006[\fIOPTION\fR]... <\fIPROGRAM\fR> [\fIargs\fR]...
Elly Jonescd7a9042011-07-22 13:56:51 -04007.SH DESCRIPTION
8.PP
9Runs PROGRAM inside a sandbox.
10.TP
Andrew Brestickereac28942015-11-11 16:04:46 -080011\fB-a <table>\fR
Jorge Lucangeli Obesa521bee2016-03-03 13:47:57 -080012Run using the alternate syscall table named \fItable\fR. Only available on kernels
Mike Frysinger0fe4e4f2017-06-20 14:01:09 -040013and architectures that support the \fBPR_ALT_SYSCALL\fR option of \fBprctl\fR(2).
Andrew Brestickereac28942015-11-11 16:04:46 -080014.TP
Elly Jones51a5b6c2011-10-12 19:09:26 -040015\fB-b <src>,<dest>[,<writeable>]
Jorge Lucangeli Obesa521bee2016-03-03 13:47:57 -080016Bind-mount \fIsrc\fR into the chroot directory at \fIdest\fR, optionally writeable.
Elly Jones51a5b6c2011-10-12 19:09:26 -040017.TP
Elly Jonescd7a9042011-07-22 13:56:51 -040018\fB-c <caps>\fR
19Restrict capabilities to \fIcaps\fR. When used in conjunction with \fB-u\fR and
20\fB-g\fR, this allows a program to have access to only certain parts of root's
21default privileges while running as another user and group ID altogether. Note
22that these capabilities are not inherited by subprocesses of the process given
23capabilities unless those subprocesses have POSIX file capabilities. See
24\fBcapabilities\fR(7).
25.TP
Dylan Reid6cae0b22015-11-18 18:47:49 -080026\fB-C <dir>\fR
Mike Frysinger0fe4e4f2017-06-20 14:01:09 -040027Change root (using \fBchroot\fR(2)) to \fIdir\fR.
Dylan Reid6cae0b22015-11-18 18:47:49 -080028.TP
29\fB-e[file]\fR
Jorge Lucangeli Obesa521bee2016-03-03 13:47:57 -080030Enter a new network namespace, or if \fIfile\fR is specified, enter an existing
Dylan Reid6cae0b22015-11-18 18:47:49 -080031network namespace specified by \fIfile\fR which is typically of the form
32/proc/<pid>/ns/net.
33.TP
34\fB-f <file>\fR
35Write the pid of the jailed process to \fIfile\fR.
36.TP
Lutz Justen13807cb2017-01-03 17:11:55 +010037\fB-g <group>\fR
38Change groups to \fIgroup\fR, which may be either a group name or a numeric
39group ID.
40.TP
Elly Jonescd7a9042011-07-22 13:56:51 -040041\fB-G\fR
42Inherit all the supplementary groups of the user specified with \fB-u\fR. It
43is an error to use this option without having specified a \fBuser name\fR to
44\fB-u\fR.
45.TP
Elly Jonescd7a9042011-07-22 13:56:51 -040046\fB-h\fR
47Print a help message.
48.TP
Will Drewry32ac9f52011-08-18 21:36:27 -050049\fB-H\fR
50Print a help message detailing supported system call names for seccomp_filter.
51(Other direct numbers may be specified if minijail0 is not in sync with the
52 host kernel or something like 32/64-bit compatibility issues exist.)
53.TP
Brian Norris3b5841b2016-03-16 16:43:49 -070054\fB-I\fR
55Run \fIprogram\fR as init (pid 1) inside a new pid namespace (implies \fB-p\fR).
56.TP
Jorge Lucangeli Obesa521bee2016-03-03 13:47:57 -080057\fB-k <src>,<dest>,<type>[,<flags>]\fR
58Mount \fIsrc\fR, a \fItype\fR filesystem, into the chroot directory at \fIdest\fR, with optional \fIflags\fR.
59.TP
60\fB-K\fR
61Don't mark all existing mounts as MS_PRIVATE.
62This option is \fBdangerous\fR as it negates most of the functionality of \fB-v\fR.
63You very likely don't need this.
64.TP
Dylan Reidf7942472015-11-18 17:55:26 -080065\fB-l\fR
66Run inside a new IPC namespace. This option makes the program's System V IPC
67namespace independent.
68.TP
Brian Norris3b5841b2016-03-16 16:43:49 -070069\fB-L\fR
70Report blocked syscalls to syslog when using seccomp filter. This option will
71force certain syscalls to be allowed in order to achieve this, depending on the
72system.
73.TP
Jorge Lucangeli Obes959f6562017-02-07 11:03:46 -050074\fB-m[<uid> <loweruid> <count>[,<uid> <loweruid> <count>]]\fR
Jorge Lucangeli Obesa521bee2016-03-03 13:47:57 -080075Set the uid mapping of a user namespace (implies \fB-pU\fR). Same arguments as
Mike Frysinger0fe4e4f2017-06-20 14:01:09 -040076\fBnewuidmap\fR(1). Multiple mappings should be separated by ','. With no mapping,
Jorge Lucangeli Obes959f6562017-02-07 11:03:46 -050077map the current uid to root inside the user namespace.
Dylan Reid6cae0b22015-11-18 18:47:49 -080078.TP
Jorge Lucangeli Obes959f6562017-02-07 11:03:46 -050079\fB-M[<uid> <loweruid> <count>[,<uid> <loweruid> <count>]]\fR
Jorge Lucangeli Obesa521bee2016-03-03 13:47:57 -080080Set the gid mapping of a user namespace (implies \fB-pU\fR). Same arguments as
Mike Frysinger0fe4e4f2017-06-20 14:01:09 -040081\fBnewgidmap\fR(1). Multiple mappings should be separated by ','. With no mapping,
Jorge Lucangeli Obes959f6562017-02-07 11:03:46 -050082map the current gid to root inside the user namespace.
Dylan Reid6cae0b22015-11-18 18:47:49 -080083.TP
Brian Norris3b5841b2016-03-16 16:43:49 -070084\fB-n\fR
Mike Frysinger0fe4e4f2017-06-20 14:01:09 -040085Set the process's \fIno_new_privs\fR bit. See \fBprctl\fR(2) and the kernel
Brian Norris3b5841b2016-03-16 16:43:49 -070086source file \fIDocumentation/prctl/no_new_privs.txt\fR for more info.
87.TP
Dylan Reid87e58512016-07-11 14:35:12 -070088\fB-N\fR
89Run inside a new cgroup namespace. This option runs the program with a cgroup
90view showing the program's cgroup as the root. This is only available on v4.6+
91of the Linux kernel.
92.TP
Elly Jonescd7a9042011-07-22 13:56:51 -040093\fB-p\fR
94Run inside a new PID namespace. This option will make it impossible for the
Elly Jonese58176c2012-01-23 11:46:17 -050095program to see or affect processes that are not its descendants. This implies
96\fB-v\fR and \fB-r\fR, since otherwise the process can see outside its namespace
97by inspecting /proc.
Elly Jonescd7a9042011-07-22 13:56:51 -040098.TP
Dylan Reid6cae0b22015-11-18 18:47:49 -080099\fB-P <dir>\fR
100Set \fIdir\fR as the root fs using \fBpivot_root\fR. Implies \fB-v\fR, not
101compatible with \fB-C\fR.
102.TP
Elly Jonescd7a9042011-07-22 13:56:51 -0400103\fB-r\fR
Dylan Reid6cae0b22015-11-18 18:47:49 -0800104Remount /proc readonly. This implies \fB-v\fR. Remounting /proc readonly means
105that even if the process has write access to a system config knob in /proc
106(e.g., in /sys/kernel), it cannot change the value.
Elly Jonescd7a9042011-07-22 13:56:51 -0400107.TP
Dylan Reid0f72ef42017-06-06 15:42:49 -0700108\fB-R <rlim_type, rlim_cur, rlim_max>\fR
109Set an rlimit value, see \fBgetrlimit\fR(2) for allowed values.
110.TP
Elly Jonescd7a9042011-07-22 13:56:51 -0400111\fB-s\fR
Mike Frysinger0fe4e4f2017-06-20 14:01:09 -0400112Enable \fBseccomp\fR(2) in mode 1, which restricts the child process to a very
113small set of system calls.
Mike Frysingere61fd662017-06-20 14:07:41 -0400114You most likely do not want to use this with the seccomp filter mode (\fB-S\fR)
115as they are completely different (even though they have similar names).
Will Drewry32ac9f52011-08-18 21:36:27 -0500116.TP
117\fB-S <arch-specific seccomp_filter policy file>\fR
Mike Frysinger0fe4e4f2017-06-20 14:01:09 -0400118Enable \fBseccomp\fR(2) in mode 13 which restricts the child process to a set of
Jorge Lucangeli Obesa521bee2016-03-03 13:47:57 -0800119system calls defined in the policy file. Note that system calls often change
Will Drewry32ac9f52011-08-18 21:36:27 -0500120names based on the architecture or mode. (uname -m is your friend.)
Elly Jonescd7a9042011-07-22 13:56:51 -0400121.TP
Jorge Lucangeli Obes959f6562017-02-07 11:03:46 -0500122\fB-t[size]\fR
Mike Frysingerec7def22017-01-13 18:44:45 -0500123Mounts a tmpfs filesystem on /tmp. /tmp must exist already (e.g. in the chroot).
Martin Pelikánab9eb442017-01-25 11:53:58 +1100124The filesystem has a default size of "64M", overridden with an optional
125argument. It has standard /tmp permissions (1777), and is mounted
126nodev/noexec/nosuid. Implies \fB-v\fR.
Jorge Lucangeli Obesa521bee2016-03-03 13:47:57 -0800127.TP
Matthew Dempsky2ed09122016-02-11 09:43:37 -0800128\fB-T <type>\fR
129Assume program's ELF linkage type is \fItype\fR,
130which should be either 'static' or 'dynamic'.
131.TP
Elly Jonescd7a9042011-07-22 13:56:51 -0400132\fB-u <user>\fR
133Change users to \fIuser\fR, which may be either a user name or a numeric user
134ID.
135.TP
Brian Norris3b5841b2016-03-16 16:43:49 -0700136\fB-U\fR
137Enter a new user namespace (implies \fB-p\fR).
138.TP
Elly Jonescd7a9042011-07-22 13:56:51 -0400139\fB-v\fR
140Run inside a new VFS namespace. This option makes the program's mountpoints
141independent of the rest of the system's.
Dylan Reid6cae0b22015-11-18 18:47:49 -0800142.TP
143\fB-V <file>\fR
144Enter the VFS namespace specified by \fIfile\fR.
Jorge Lucangeli Obes13650612016-09-02 11:27:29 -0400145.TP
Chirantan Ekbote866bb3a2017-02-07 12:26:42 -0800146\fB-w\fR
147Create and join a new anonymous session keyring. See \fBkeyrings\fR(7) for more
148details.
149.TP
Lutz Justen13807cb2017-01-03 17:11:55 +0100150\fB-y\fR
151Keep the current user's supplementary groups.
152.TP
Jorge Lucangeli Obes13650612016-09-02 11:27:29 -0400153\fB-Y\fR
154Synchronize seccomp filters across thread group.
Mike Frysingerb9a7b162017-05-30 15:25:49 -0400155.TP
156\fB--uts[=hostname]\fR
157Create a new UTS/hostname namespace, and optionally set the hostname in the new
158namespace to \fIhostname\fR.
Elly Jonescd7a9042011-07-22 13:56:51 -0400159.SH IMPLEMENTATION
160This program is broken up into two parts: \fBminijail0\fR (the frontend) and a helper
161library called \fBlibminijailpreload\fR. Some jailings can only be achieved from
162the process to which they will actually apply - specifically capability use
163(since capabilities are not inherited to an exec'd process unless the exec'd
164process has POSIX file capabilities), seccomp (since we can't exec() once we're
Jorge Lucangeli Obesa521bee2016-03-03 13:47:57 -0800165seccomp'd), and ptrace-disable (which is always cleared on exec()).
Elly Jonescd7a9042011-07-22 13:56:51 -0400166
167To this end, \fBlibminijailpreload\fR is forcibly loaded into all
168dynamically-linked target programs if any of these restrictions are in effect;
169we pass the specific restrictions in an environment variable which the preloaded
170library looks for. The forcibly-loaded library then applies the restrictions
171to the newly-loaded program.
Jorge Lucangeli Obesa521bee2016-03-03 13:47:57 -0800172
Elly Jonescd7a9042011-07-22 13:56:51 -0400173.SH AUTHOR
Jorge Lucangeli Obesa521bee2016-03-03 13:47:57 -0800174The Chromium OS Authors <chromiumos-dev@chromium.org>
Elly Jonescd7a9042011-07-22 13:56:51 -0400175.SH COPYRIGHT
176Copyright \(co 2011 The Chromium OS Authors
177License BSD-like.
178.SH "SEE ALSO"
Mike Frysinger0fe4e4f2017-06-20 14:01:09 -0400179\fBlibminijail.h\fR \fBminijail0\fR(5)