Jorge Lucangeli Obes | a521bee | 2016-03-03 13:47:57 -0800 | [diff] [blame] | 1 | .TH MINIJAIL0 "1" "March 2016" "Chromium OS" "User Commands" |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 2 | .SH NAME |
| 3 | minijail0 \- sandbox a process |
| 4 | .SH SYNOPSIS |
| 5 | .B minijail0 |
Jorge Lucangeli Obes | 1365061 | 2016-09-02 11:27:29 -0400 | [diff] [blame] | 6 | [\fIOPTION\fR]... <\fIPROGRAM\fR> [\fIargs\fR]... |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 7 | .SH DESCRIPTION |
| 8 | .PP |
| 9 | Runs PROGRAM inside a sandbox. |
| 10 | .TP |
Andrew Bresticker | eac2894 | 2015-11-11 16:04:46 -0800 | [diff] [blame] | 11 | \fB-a <table>\fR |
Jorge Lucangeli Obes | a521bee | 2016-03-03 13:47:57 -0800 | [diff] [blame] | 12 | Run using the alternate syscall table named \fItable\fR. Only available on kernels |
Mike Frysinger | 0fe4e4f | 2017-06-20 14:01:09 -0400 | [diff] [blame] | 13 | and architectures that support the \fBPR_ALT_SYSCALL\fR option of \fBprctl\fR(2). |
Andrew Bresticker | eac2894 | 2015-11-11 16:04:46 -0800 | [diff] [blame] | 14 | .TP |
Mike Frysinger | 8f0665b | 2018-01-17 14:26:09 -0500 | [diff] [blame] | 15 | \fB-b <src>[,<dest>[,<writeable>]] |
Jorge Lucangeli Obes | a521bee | 2016-03-03 13:47:57 -0800 | [diff] [blame] | 16 | Bind-mount \fIsrc\fR into the chroot directory at \fIdest\fR, optionally writeable. |
Mike Frysinger | eaab420 | 2017-08-14 14:57:21 -0400 | [diff] [blame] | 17 | The \fIsrc\fR path must be an absolute path. |
Mike Frysinger | 8f0665b | 2018-01-17 14:26:09 -0500 | [diff] [blame] | 18 | If \fIdest\fR is not specified, it will default to \fIsrc\fR. |
Mike Frysinger | eaab420 | 2017-08-14 14:57:21 -0400 | [diff] [blame] | 19 | If the destination does not exist, it will be created as a file or directory |
Mike Frysinger | 5fdba4e | 2018-01-17 15:39:48 -0500 | [diff] [blame] | 20 | based on the \fIsrc\fR type (including missing parent directories). |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 21 | .TP |
Luis Hector Chavez | 9dd13fd | 2018-04-19 20:14:47 -0700 | [diff] [blame] | 22 | \fB-B <mask>\fR |
| 23 | Skip setting securebits in \fImask\fR when restricting capabilities (\fB-c\fR). |
| 24 | \fImask\fR is a hex constant that represents the mask of securebits that will |
| 25 | be preserved. See \fBcapabilities\fR(7) for the complete list. By default, |
| 26 | \fBSECURE_NOROOT\fR, \fBSECURE_NO_SETUID_FIXUP\fR, and \fBSECURE_KEEP_CAPS\fR |
| 27 | (together with their respective locks) are set. |
| 28 | \fBSECBIT_NO_CAP_AMBIENT_RAISE\fR (and its respective lock) is never set |
| 29 | because the permitted and inheritable capability sets have already been set |
| 30 | through \fB-c\fR. |
| 31 | .TP |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 32 | \fB-c <caps>\fR |
Luis Hector Chavez | dabc430 | 2018-09-21 09:21:47 -0700 | [diff] [blame] | 33 | Restrict capabilities to \fIcaps\fR, which is either a hex constant or a string |
| 34 | that will be passed to \fBcap_from_text\fR(3) (only the effective capability |
| 35 | mask will be considered). The value will be used as the permitted, effective, |
| 36 | and inheritable sets. When used in conjunction with \fB-u\fR and \fB-g\fR, |
| 37 | this allows a program to have access to only certain parts of root's default |
Luis Hector Chavez | 9dd13fd | 2018-04-19 20:14:47 -0700 | [diff] [blame] | 38 | privileges while running as another user and group ID altogether. Note that |
| 39 | these capabilities are not inherited by subprocesses of the process given |
| 40 | capabilities unless those subprocesses have POSIX file capabilities or the |
| 41 | \fB--ambient\fR flag is also passed. See \fBcapabilities\fR(7). |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 42 | .TP |
Dylan Reid | 6cae0b2 | 2015-11-18 18:47:49 -0800 | [diff] [blame] | 43 | \fB-C <dir>\fR |
Mike Frysinger | 0fe4e4f | 2017-06-20 14:01:09 -0400 | [diff] [blame] | 44 | Change root (using \fBchroot\fR(2)) to \fIdir\fR. |
Dylan Reid | 6cae0b2 | 2015-11-18 18:47:49 -0800 | [diff] [blame] | 45 | .TP |
Mike Frysinger | 33ffef3 | 2017-01-13 19:53:19 -0500 | [diff] [blame] | 46 | \fB-d\fR, \fB--mount-dev\fR |
| 47 | Create a new /dev mount with a minimal set of nodes. Implies \fB-v\fR. |
| 48 | Additional nodes can be bound with the \fB-b\fR or \fB-k\fR options. |
| 49 | The initial set of nodes are: full null tty urandom zero. |
| 50 | Symlinks are also created for: fd ptmx stderr stdin stdout. |
| 51 | .TP |
Dylan Reid | 6cae0b2 | 2015-11-18 18:47:49 -0800 | [diff] [blame] | 52 | \fB-e[file]\fR |
Jorge Lucangeli Obes | a521bee | 2016-03-03 13:47:57 -0800 | [diff] [blame] | 53 | Enter a new network namespace, or if \fIfile\fR is specified, enter an existing |
Dylan Reid | 6cae0b2 | 2015-11-18 18:47:49 -0800 | [diff] [blame] | 54 | network namespace specified by \fIfile\fR which is typically of the form |
| 55 | /proc/<pid>/ns/net. |
| 56 | .TP |
| 57 | \fB-f <file>\fR |
| 58 | Write the pid of the jailed process to \fIfile\fR. |
| 59 | .TP |
Lutz Justen | 13807cb | 2017-01-03 17:11:55 +0100 | [diff] [blame] | 60 | \fB-g <group>\fR |
| 61 | Change groups to \fIgroup\fR, which may be either a group name or a numeric |
| 62 | group ID. |
| 63 | .TP |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 64 | \fB-G\fR |
| 65 | Inherit all the supplementary groups of the user specified with \fB-u\fR. It |
| 66 | is an error to use this option without having specified a \fBuser name\fR to |
| 67 | \fB-u\fR. |
| 68 | .TP |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 69 | \fB-h\fR |
| 70 | Print a help message. |
| 71 | .TP |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 72 | \fB-H\fR |
| 73 | Print a help message detailing supported system call names for seccomp_filter. |
| 74 | (Other direct numbers may be specified if minijail0 is not in sync with the |
Mike Frysinger | 4a5fed6 | 2018-01-17 16:04:50 -0500 | [diff] [blame] | 75 | host kernel or something like 32/64-bit compatibility issues exist.) |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 76 | .TP |
Luis Hector Chavez | 9dd13fd | 2018-04-19 20:14:47 -0700 | [diff] [blame] | 77 | \fB-i\fR |
| 78 | Exit immediately after \fBfork\fR(2). The jailed process will keep running in |
| 79 | the background. |
Mike Frysinger | 69357a5 | 2018-09-29 03:15:30 -0400 | [diff] [blame] | 80 | |
| 81 | Normally minijail will fork+exec the specified \fIprogram\fR so that it can set |
| 82 | up the right security settings in the new child process. The initial minijail |
| 83 | process will stay resident and wait for the \fIprogram\fR to exit so the script |
| 84 | that ran minijail will correctly block (e.g. standalone scripts). Specifying |
| 85 | \fB-i\fR makes that initial process exit immediately and free up the resources. |
| 86 | |
| 87 | This option is recommended for daemons and init services when you want to |
| 88 | background the long running \fIprogram\fR. |
Luis Hector Chavez | 9dd13fd | 2018-04-19 20:14:47 -0700 | [diff] [blame] | 89 | .TP |
Brian Norris | 3b5841b | 2016-03-16 16:43:49 -0700 | [diff] [blame] | 90 | \fB-I\fR |
| 91 | Run \fIprogram\fR as init (pid 1) inside a new pid namespace (implies \fB-p\fR). |
Mike Frysinger | 69357a5 | 2018-09-29 03:15:30 -0400 | [diff] [blame] | 92 | |
| 93 | Most programs don't expect to run as an init which is why minijail will do it |
| 94 | for you by default. Basically, the \fIprogram\fR needs to reap any processes it |
| 95 | forks to avoid leaving zombies behind. Signal handling needs care since the |
| 96 | kernel will mask all signals that don't have handlers registered (all default |
| 97 | handlers are ignored and cannot be changed). |
| 98 | |
| 99 | This means a minijail process (acting as init) will remain resident by default. |
| 100 | While using \fB-I\fR is recommended when possible, strict review is required to |
| 101 | make sure the \fIprogram\fR continues to work as expected. |
| 102 | |
| 103 | \fB-i\fR and \fB-I\fR may be safely used together. The \fB-i\fR option controls |
| 104 | the first minijail process outside of the pid namespace while the \fB-I\fR |
| 105 | option controls the minijail process inside of the pid namespace. |
Brian Norris | 3b5841b | 2016-03-16 16:43:49 -0700 | [diff] [blame] | 106 | .TP |
Mike Frysinger | fea05c6 | 2018-01-17 16:56:48 -0500 | [diff] [blame] | 107 | \fB-k <src>,<dest>,<type>[,<flags>[,<data>]]\fR |
Mike Frysinger | 4f3e09f | 2018-01-24 18:01:16 -0500 | [diff] [blame] | 108 | Mount \fIsrc\fR, a \fItype\fR filesystem, at \fIdest\fR. If a chroot or pivot |
| 109 | root is active, \fIdest\fR will automatically be placed below that path. |
| 110 | |
Mike Frysinger | 6f4e93d | 2018-05-23 05:05:35 -0400 | [diff] [blame] | 111 | The \fIflags\fR field is optional and may be a mix of \fIMS_XXX\fR or hex |
| 112 | constants separated by \fI|\fR characters. See \fBmount\fR(2) for details. |
Mike Frysinger | cb8674d | 2018-08-12 00:53:35 -0400 | [diff] [blame] | 113 | \fIMS_NODEV|MS_NOSUID|MS_NOEXEC\fR is the default value (a writable mount |
Mike Frysinger | 6f4e93d | 2018-05-23 05:05:35 -0400 | [diff] [blame] | 114 | with nodev/nosuid/noexec bits set), and it is strongly recommended that all |
Mike Frysinger | cb8674d | 2018-08-12 00:53:35 -0400 | [diff] [blame] | 115 | mounts have these three bits set whenever possible. If you need to disable |
| 116 | all three, then specify something like \fIMS_SILENT\fR. |
Mike Frysinger | 4f3e09f | 2018-01-24 18:01:16 -0500 | [diff] [blame] | 117 | |
| 118 | The \fIdata\fR field is optional and is a comma delimited string (see |
| 119 | \fBmount\fR(2) for details). It is passed directly to the kernel, so all |
Mike Frysinger | b7803c8 | 2018-08-23 15:43:15 -0400 | [diff] [blame] | 120 | fields here are filesystem specific. For \fItmpfs\fR, if no data is specified, |
| 121 | we will default to \fImode=0755,size=10M\fR. If you want other settings, you |
| 122 | will need to specify them explicitly yourself. |
Mike Frysinger | 4f3e09f | 2018-01-24 18:01:16 -0500 | [diff] [blame] | 123 | |
Mike Frysinger | eaab420 | 2017-08-14 14:57:21 -0400 | [diff] [blame] | 124 | If the mount is not a pseudo filesystem (e.g. proc or sysfs), \fIsrc\fR path |
| 125 | must be an absolute path (e.g. \fI/dev/sda1\fR and not \fIsda1\fR). |
Mike Frysinger | 4f3e09f | 2018-01-24 18:01:16 -0500 | [diff] [blame] | 126 | |
Mike Frysinger | 5fdba4e | 2018-01-17 15:39:48 -0500 | [diff] [blame] | 127 | If the destination does not exist, it will be created as a directory (including |
| 128 | missing parent directories). |
Jorge Lucangeli Obes | a521bee | 2016-03-03 13:47:57 -0800 | [diff] [blame] | 129 | .TP |
Mike Frysinger | 785b1c3 | 2018-02-23 15:47:24 -0500 | [diff] [blame] | 130 | \fB-K[mode]\fR |
Jorge Lucangeli Obes | a521bee | 2016-03-03 13:47:57 -0800 | [diff] [blame] | 131 | Don't mark all existing mounts as MS_PRIVATE. |
| 132 | This option is \fBdangerous\fR as it negates most of the functionality of \fB-v\fR. |
| 133 | You very likely don't need this. |
Mike Frysinger | 785b1c3 | 2018-02-23 15:47:24 -0500 | [diff] [blame] | 134 | |
| 135 | You may specify a mount propagation mode in which case, that will be used |
| 136 | instead of the default MS_PRIVATE. See the \fBmount\fR(2) man page and the |
| 137 | kernel docs \fIDocumentation/filesystems/sharedsubtree.txt\fR for more |
| 138 | technical details, but a brief guide: |
| 139 | |
| 140 | .IP |
| 141 | \[bu] \fBslave\fR Changes in the parent mount namespace will propagate in, but |
| 142 | changes in this mount namespace will not propagate back out. This is usually |
| 143 | what people want to use. |
| 144 | .IP |
| 145 | \[bu] \fBprivate\fR No changes in either mount namespace will propagate. |
| 146 | This is the default behavior if you don't specify \fB-K\fR. |
| 147 | .IP |
| 148 | \[bu] \fBshared\fR Changes in the parent and this mount namespace will freely |
| 149 | propagate back and forth. This is not recommended. |
| 150 | .IP |
| 151 | \[bu] \fBunbindable\fR Mark all mounts as unbindable. |
Jorge Lucangeli Obes | a521bee | 2016-03-03 13:47:57 -0800 | [diff] [blame] | 152 | .TP |
Dylan Reid | f794247 | 2015-11-18 17:55:26 -0800 | [diff] [blame] | 153 | \fB-l\fR |
| 154 | Run inside a new IPC namespace. This option makes the program's System V IPC |
| 155 | namespace independent. |
| 156 | .TP |
Brian Norris | 3b5841b | 2016-03-16 16:43:49 -0700 | [diff] [blame] | 157 | \fB-L\fR |
| 158 | Report blocked syscalls to syslog when using seccomp filter. This option will |
| 159 | force certain syscalls to be allowed in order to achieve this, depending on the |
| 160 | system. |
| 161 | .TP |
Jorge Lucangeli Obes | 959f656 | 2017-02-07 11:03:46 -0500 | [diff] [blame] | 162 | \fB-m[<uid> <loweruid> <count>[,<uid> <loweruid> <count>]]\fR |
Jorge Lucangeli Obes | a521bee | 2016-03-03 13:47:57 -0800 | [diff] [blame] | 163 | Set the uid mapping of a user namespace (implies \fB-pU\fR). Same arguments as |
Mike Frysinger | 0fe4e4f | 2017-06-20 14:01:09 -0400 | [diff] [blame] | 164 | \fBnewuidmap\fR(1). Multiple mappings should be separated by ','. With no mapping, |
Jorge Lucangeli Obes | 959f656 | 2017-02-07 11:03:46 -0500 | [diff] [blame] | 165 | map the current uid to root inside the user namespace. |
Dylan Reid | 6cae0b2 | 2015-11-18 18:47:49 -0800 | [diff] [blame] | 166 | .TP |
Jorge Lucangeli Obes | 959f656 | 2017-02-07 11:03:46 -0500 | [diff] [blame] | 167 | \fB-M[<uid> <loweruid> <count>[,<uid> <loweruid> <count>]]\fR |
Jorge Lucangeli Obes | a521bee | 2016-03-03 13:47:57 -0800 | [diff] [blame] | 168 | Set the gid mapping of a user namespace (implies \fB-pU\fR). Same arguments as |
Mike Frysinger | 0fe4e4f | 2017-06-20 14:01:09 -0400 | [diff] [blame] | 169 | \fBnewgidmap\fR(1). Multiple mappings should be separated by ','. With no mapping, |
Jorge Lucangeli Obes | 959f656 | 2017-02-07 11:03:46 -0500 | [diff] [blame] | 170 | map the current gid to root inside the user namespace. |
Dylan Reid | 6cae0b2 | 2015-11-18 18:47:49 -0800 | [diff] [blame] | 171 | .TP |
Brian Norris | 3b5841b | 2016-03-16 16:43:49 -0700 | [diff] [blame] | 172 | \fB-n\fR |
Mike Frysinger | 0fe4e4f | 2017-06-20 14:01:09 -0400 | [diff] [blame] | 173 | Set the process's \fIno_new_privs\fR bit. See \fBprctl\fR(2) and the kernel |
Brian Norris | 3b5841b | 2016-03-16 16:43:49 -0700 | [diff] [blame] | 174 | source file \fIDocumentation/prctl/no_new_privs.txt\fR for more info. |
| 175 | .TP |
Dylan Reid | 87e5851 | 2016-07-11 14:35:12 -0700 | [diff] [blame] | 176 | \fB-N\fR |
| 177 | Run inside a new cgroup namespace. This option runs the program with a cgroup |
| 178 | view showing the program's cgroup as the root. This is only available on v4.6+ |
| 179 | of the Linux kernel. |
| 180 | .TP |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 181 | \fB-p\fR |
| 182 | Run inside a new PID namespace. This option will make it impossible for the |
Elly Jones | e58176c | 2012-01-23 11:46:17 -0500 | [diff] [blame] | 183 | program to see or affect processes that are not its descendants. This implies |
| 184 | \fB-v\fR and \fB-r\fR, since otherwise the process can see outside its namespace |
| 185 | by inspecting /proc. |
Mike Frysinger | 69357a5 | 2018-09-29 03:15:30 -0400 | [diff] [blame] | 186 | |
| 187 | If the \fIprogram\fR exits, all of its children will be killed immediately by |
| 188 | the kernel. If you need to daemonize or background things, use the \fB-i\fR |
| 189 | option. |
| 190 | |
| 191 | See \fBpid_namespaces\fR(7) for more info. |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 192 | .TP |
Dylan Reid | 6cae0b2 | 2015-11-18 18:47:49 -0800 | [diff] [blame] | 193 | \fB-P <dir>\fR |
| 194 | Set \fIdir\fR as the root fs using \fBpivot_root\fR. Implies \fB-v\fR, not |
| 195 | compatible with \fB-C\fR. |
| 196 | .TP |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 197 | \fB-r\fR |
Dylan Reid | 6cae0b2 | 2015-11-18 18:47:49 -0800 | [diff] [blame] | 198 | Remount /proc readonly. This implies \fB-v\fR. Remounting /proc readonly means |
| 199 | that even if the process has write access to a system config knob in /proc |
| 200 | (e.g., in /sys/kernel), it cannot change the value. |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 201 | .TP |
Luis Hector Chavez | 7058a2d | 2018-01-29 08:41:34 -0800 | [diff] [blame] | 202 | \fB-R <rlim_type>,<rlim_cur>,<rlim_max>\fR |
Mike Frysinger | e34d7fe | 2018-05-23 04:18:30 -0400 | [diff] [blame] | 203 | Set an rlimit value, see \fBgetrlimit\fR(2) for more details. |
| 204 | |
| 205 | \fIrlim_type\fR may be specified using symbolic constants like \fIRLIMIT_AS\fR. |
| 206 | |
| 207 | \fIrlim_cur\fR and \fIrlim_max\fR are specified either with a number (decimal or |
| 208 | hex starting with \fI0x\fR), or with the string \fIunlimited\fR (which will |
| 209 | translate to \fIRLIM_INFINITY\fR). |
Dylan Reid | 0f72ef4 | 2017-06-06 15:42:49 -0700 | [diff] [blame] | 210 | .TP |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 211 | \fB-s\fR |
Mike Frysinger | 0fe4e4f | 2017-06-20 14:01:09 -0400 | [diff] [blame] | 212 | Enable \fBseccomp\fR(2) in mode 1, which restricts the child process to a very |
| 213 | small set of system calls. |
Mike Frysinger | e61fd66 | 2017-06-20 14:07:41 -0400 | [diff] [blame] | 214 | You most likely do not want to use this with the seccomp filter mode (\fB-S\fR) |
| 215 | as they are completely different (even though they have similar names). |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 216 | .TP |
| 217 | \fB-S <arch-specific seccomp_filter policy file>\fR |
Mike Frysinger | 0fe4e4f | 2017-06-20 14:01:09 -0400 | [diff] [blame] | 218 | Enable \fBseccomp\fR(2) in mode 13 which restricts the child process to a set of |
Luis Hector Chavez | c3e1772 | 2018-10-16 20:43:12 -0700 | [diff] [blame] | 219 | system calls defined in the policy file. Note that system call names may be |
| 220 | different based on the runtime environment; see \fBminijail0\fR(5) for more |
| 221 | details. |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 222 | .TP |
Jorge Lucangeli Obes | 959f656 | 2017-02-07 11:03:46 -0500 | [diff] [blame] | 223 | \fB-t[size]\fR |
Mike Frysinger | ec7def2 | 2017-01-13 18:44:45 -0500 | [diff] [blame] | 224 | Mounts a tmpfs filesystem on /tmp. /tmp must exist already (e.g. in the chroot). |
Martin Pelikán | ab9eb44 | 2017-01-25 11:53:58 +1100 | [diff] [blame] | 225 | The filesystem has a default size of "64M", overridden with an optional |
| 226 | argument. It has standard /tmp permissions (1777), and is mounted |
| 227 | nodev/noexec/nosuid. Implies \fB-v\fR. |
Jorge Lucangeli Obes | a521bee | 2016-03-03 13:47:57 -0800 | [diff] [blame] | 228 | .TP |
Matthew Dempsky | 2ed0912 | 2016-02-11 09:43:37 -0800 | [diff] [blame] | 229 | \fB-T <type>\fR |
Graziano Misuraca | 58602a8 | 2017-08-28 17:33:15 -0700 | [diff] [blame] | 230 | Assume binary's ELF linkage type is \fItype\fR, which must be either 'static' |
| 231 | or 'dynamic'. Either setting will prevent minijail0 from manually parsing the |
| 232 | ELF header to determine the type. Type 'static' can be used to avoid preload |
| 233 | hooking, and will force minijail0 to instead set everything up before the |
| 234 | program is executed. Type 'dynamic' will force minijail0 to preload |
| 235 | \fIlibminijailpreload.so\fR to setup hooks, but will fail on actually |
| 236 | statically-linked binaries. |
Matthew Dempsky | 2ed0912 | 2016-02-11 09:43:37 -0800 | [diff] [blame] | 237 | .TP |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 238 | \fB-u <user>\fR |
| 239 | Change users to \fIuser\fR, which may be either a user name or a numeric user |
| 240 | ID. |
| 241 | .TP |
Brian Norris | 3b5841b | 2016-03-16 16:43:49 -0700 | [diff] [blame] | 242 | \fB-U\fR |
| 243 | Enter a new user namespace (implies \fB-p\fR). |
| 244 | .TP |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 245 | \fB-v\fR |
| 246 | Run inside a new VFS namespace. This option makes the program's mountpoints |
| 247 | independent of the rest of the system's. |
Dylan Reid | 6cae0b2 | 2015-11-18 18:47:49 -0800 | [diff] [blame] | 248 | .TP |
| 249 | \fB-V <file>\fR |
| 250 | Enter the VFS namespace specified by \fIfile\fR. |
Jorge Lucangeli Obes | 1365061 | 2016-09-02 11:27:29 -0400 | [diff] [blame] | 251 | .TP |
Chirantan Ekbote | 866bb3a | 2017-02-07 12:26:42 -0800 | [diff] [blame] | 252 | \fB-w\fR |
| 253 | Create and join a new anonymous session keyring. See \fBkeyrings\fR(7) for more |
| 254 | details. |
| 255 | .TP |
Lutz Justen | 13807cb | 2017-01-03 17:11:55 +0100 | [diff] [blame] | 256 | \fB-y\fR |
| 257 | Keep the current user's supplementary groups. |
| 258 | .TP |
Jorge Lucangeli Obes | 1365061 | 2016-09-02 11:27:29 -0400 | [diff] [blame] | 259 | \fB-Y\fR |
| 260 | Synchronize seccomp filters across thread group. |
Mike Frysinger | b9a7b16 | 2017-05-30 15:25:49 -0400 | [diff] [blame] | 261 | .TP |
Luis Hector Chavez | 9dd13fd | 2018-04-19 20:14:47 -0700 | [diff] [blame] | 262 | \fB-z\fR |
| 263 | Don't forward any signals to the jailed process. For example, when not using |
| 264 | \fB-i\fR, sending \fBSIGINT\fR (e.g., CTRL-C on the terminal), will kill the |
| 265 | minijail0 process, not the jailed process. |
| 266 | .TP |
| 267 | \fB--ambient\fR |
| 268 | Raise ambient capabilities to match the mask specified by \fB-c\fR. Since |
| 269 | ambient capabilities are preserved across \fBexecve\fR(2), this allows for |
| 270 | process trees to have a restricted set of capabilities, even if they are |
| 271 | capability-dumb binaries. See \fBcapabilities\fR(7). |
| 272 | .TP |
Mike Frysinger | b9a7b16 | 2017-05-30 15:25:49 -0400 | [diff] [blame] | 273 | \fB--uts[=hostname]\fR |
| 274 | Create a new UTS/hostname namespace, and optionally set the hostname in the new |
| 275 | namespace to \fIhostname\fR. |
Luis Hector Chavez | 114a930 | 2017-09-05 20:36:58 -0700 | [diff] [blame] | 276 | .TP |
| 277 | \fB--logging=<system>\fR |
| 278 | Use \fIsystem\fR as the logging system. \fIsystem\fR must be one of |
| 279 | \fBsyslog\fR (the default) or \fBstderr\fR. |
Luis Hector Chavez | d45fc42 | 2017-10-25 15:11:53 -0700 | [diff] [blame] | 280 | .TP |
| 281 | \fB--profile <profile>\fR |
| 282 | Choose from one of the available sandboxing profiles, which are simple way to |
| 283 | get a standardized environment. See the |
| 284 | .BR "SANDBOXING PROFILES" |
| 285 | section below for the full list of supported values for \fIprofile\fR. |
Luis Hector Chavez | 9acba45 | 2018-10-11 10:13:25 -0700 | [diff] [blame] | 286 | .TP |
| 287 | \fB--preload-library <file path>\fR |
| 288 | Allows overriding the default path of \fI/lib/libminijailpreload.so\fR. This |
| 289 | is only really useful for testing. |
Luis Hector Chavez | c3e1772 | 2018-10-16 20:43:12 -0700 | [diff] [blame] | 290 | \fB--seccomp-bpf-binary <arch-specific BPF binary>\fR |
| 291 | This is similar to \fB-S\fR, but |
| 292 | instead of using a policy file, \fB--secomp-bpf-binary\fR expects a |
| 293 | arch-and-kernel-version-specific pre-compiled BPF binary (such as the ones |
| 294 | produced by \fBparse_seccomp_policy\fR). Note that the filter might be |
| 295 | different based on the runtime environment; see \fBminijail0\fR(5) for more |
| 296 | details. |
Luis Hector Chavez | d45fc42 | 2017-10-25 15:11:53 -0700 | [diff] [blame] | 297 | .SH SANDBOXING PROFILES |
| 298 | The following sandboxing profiles are supported: |
| 299 | .TP |
| 300 | \fBminimalistic-mountns\fR |
| 301 | Set up a minimalistic mount namespace. Equivalent to \fB-v -P /var/empty |
Jorge Lucangeli Obes | 7394b90 | 2019-03-14 12:43:26 -0400 | [diff] [blame] | 302 | -b / -b /proc -b /dev/log -t -r --mount-dev\fR. |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 303 | .SH IMPLEMENTATION |
| 304 | This program is broken up into two parts: \fBminijail0\fR (the frontend) and a helper |
Luis Hector Chavez | 689deb7 | 2018-09-27 23:39:21 -0700 | [diff] [blame] | 305 | library called \fBlibminijailpreload\fR. Some jailings can only be achieved |
| 306 | from the process to which they will actually apply: |
| 307 | |
| 308 | .IP |
| 309 | \[bu] capability use (without using ambient capabilities): non-ambient |
| 310 | capabilities are not inherited across \fBexecve\fR(2) unless the file being |
| 311 | executed has POSIX file capabilities. Ambient capabilities (the |
| 312 | \fB--ambient\fR flag) fix capability inheritance across \fBexecve\fR(2) to |
| 313 | avoid the need for file capabilities. |
| 314 | |
| 315 | \[bu] seccomp: a meaningful seccomp filter policy should disallow |
| 316 | \fBexecve\fR(2), to prevent a compromised process from executing a different |
| 317 | binary. However, this would prevent the seccomp policy from being applied |
| 318 | before \fBexecve\fR(2). |
| 319 | .RE |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 320 | |
| 321 | To this end, \fBlibminijailpreload\fR is forcibly loaded into all |
Luis Hector Chavez | 689deb7 | 2018-09-27 23:39:21 -0700 | [diff] [blame] | 322 | dynamically-linked target programs by default; we pass the specific |
| 323 | restrictions in an environment variable which the preloaded library looks for. |
| 324 | The forcibly-loaded library then applies the restrictions to the newly-loaded |
| 325 | program. |
| 326 | |
| 327 | This behavior can be disabled by the use of the \fB-T static\fR flag. There |
| 328 | are other cases in which the use of this flag might be useful: |
| 329 | |
| 330 | .IP |
| 331 | \[bu] When \fIprogram\fR is linked against a different version of \fBlibc.so\fR |
| 332 | than \fBlibminijailpreload.so\fR. |
| 333 | |
| 334 | \[bu] When \fBexecve\fR(2) has side-effects that interact badly with the |
| 335 | jailing process. If the system uses SELinux, \fBexecve\fR(2) can cause an |
| 336 | automatic domain transition, which would then require that the target domain |
| 337 | allows the operations to jail \fIprogram\fR. |
| 338 | .RE |
Jorge Lucangeli Obes | a521bee | 2016-03-03 13:47:57 -0800 | [diff] [blame] | 339 | |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 340 | .SH AUTHOR |
Jorge Lucangeli Obes | a521bee | 2016-03-03 13:47:57 -0800 | [diff] [blame] | 341 | The Chromium OS Authors <chromiumos-dev@chromium.org> |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 342 | .SH COPYRIGHT |
| 343 | Copyright \(co 2011 The Chromium OS Authors |
| 344 | License BSD-like. |
| 345 | .SH "SEE ALSO" |
Mike Frysinger | 0fe4e4f | 2017-06-20 14:01:09 -0400 | [diff] [blame] | 346 | \fBlibminijail.h\fR \fBminijail0\fR(5) |