Elly Jones | e58176c | 2012-01-23 11:46:17 -0500 | [diff] [blame^] | 1 | .TH MINIJAIL0 "1" "January 2012" "Chromium OS" "User Commands" |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 2 | .SH NAME |
| 3 | minijail0 \- sandbox a process |
| 4 | .SH SYNOPSIS |
| 5 | .B minijail0 |
| 6 | [\fIOPTION\fR]... <\fIprogram\fR> [\fIargs\fR]... |
| 7 | .SH DESCRIPTION |
| 8 | .PP |
| 9 | Runs PROGRAM inside a sandbox. |
| 10 | .TP |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 11 | \fB-b <src>,<dest>[,<writeable>] |
| 12 | Bind-mount <src> into the chroot directory at <dest>, optionally writeable. |
| 13 | .TP |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 14 | \fB-c <caps>\fR |
| 15 | Restrict capabilities to \fIcaps\fR. When used in conjunction with \fB-u\fR and |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 16 | .TP |
| 17 | \fB-C <dir>\fR |
| 18 | Change root (using chroot(2)) to <dir>. |
| 19 | .TP |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 20 | \fB-g\fR, this allows a program to have access to only certain parts of root's |
| 21 | default privileges while running as another user and group ID altogether. Note |
| 22 | that these capabilities are not inherited by subprocesses of the process given |
| 23 | capabilities unless those subprocesses have POSIX file capabilities. See |
| 24 | \fBcapabilities\fR(7). |
| 25 | .TP |
| 26 | \fB-G\fR |
| 27 | Inherit all the supplementary groups of the user specified with \fB-u\fR. It |
| 28 | is an error to use this option without having specified a \fBuser name\fR to |
| 29 | \fB-u\fR. |
| 30 | .TP |
| 31 | \fB-g <group>\fR |
| 32 | Change groups to \fIgroup\fR, which may be either a group name or a numeric |
| 33 | group ID. |
| 34 | .TP |
| 35 | \fB-h\fR |
| 36 | Print a help message. |
| 37 | .TP |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 38 | \fB-H\fR |
| 39 | Print a help message detailing supported system call names for seccomp_filter. |
| 40 | (Other direct numbers may be specified if minijail0 is not in sync with the |
| 41 | host kernel or something like 32/64-bit compatibility issues exist.) |
| 42 | .TP |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 43 | \fB-p\fR |
| 44 | Run inside a new PID namespace. This option will make it impossible for the |
Elly Jones | e58176c | 2012-01-23 11:46:17 -0500 | [diff] [blame^] | 45 | program to see or affect processes that are not its descendants. This implies |
| 46 | \fB-v\fR and \fB-r\fR, since otherwise the process can see outside its namespace |
| 47 | by inspecting /proc. |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 48 | .TP |
| 49 | \fB-r\fR |
| 50 | Remount certain filesystems readonly. Currently this only remounts /proc. This |
| 51 | implies \fB-v\fR. Remounting /proc readonly means that even if the process has |
| 52 | write access to a system config knob in /proc (e.g., in /sys/kernel), it cannot |
| 53 | change the value. |
| 54 | .TP |
| 55 | \fB-s\fR |
| 56 | Enable seccomp(2) in mode 1, which restricts the child process to a very small |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 57 | set of system calls. |
| 58 | .TP |
| 59 | \fB-S <arch-specific seccomp_filter policy file>\fR |
| 60 | Enable seccomp(2) in mode 13 which restricts the child process to a set of |
| 61 | system calls defined in the policy file. Note that system calls often change |
| 62 | names based on the architecture or mode. (uname -m is your friend.) |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 63 | .TP |
| 64 | \fB-u <user>\fR |
| 65 | Change users to \fIuser\fR, which may be either a user name or a numeric user |
| 66 | ID. |
| 67 | .TP |
| 68 | \fB-v\fR |
| 69 | Run inside a new VFS namespace. This option makes the program's mountpoints |
| 70 | independent of the rest of the system's. |
| 71 | .SH IMPLEMENTATION |
| 72 | This program is broken up into two parts: \fBminijail0\fR (the frontend) and a helper |
| 73 | library called \fBlibminijailpreload\fR. Some jailings can only be achieved from |
| 74 | the process to which they will actually apply - specifically capability use |
| 75 | (since capabilities are not inherited to an exec'd process unless the exec'd |
| 76 | process has POSIX file capabilities), seccomp (since we can't exec() once we're |
| 77 | seccomp'd), and ptrace-disable (which is always cleared on exec(). |
| 78 | |
| 79 | To this end, \fBlibminijailpreload\fR is forcibly loaded into all |
| 80 | dynamically-linked target programs if any of these restrictions are in effect; |
| 81 | we pass the specific restrictions in an environment variable which the preloaded |
| 82 | library looks for. The forcibly-loaded library then applies the restrictions |
| 83 | to the newly-loaded program. |
| 84 | .SH AUTHOR |
| 85 | Written by Elly Jones (ellyjones@chromium.org) |
| 86 | .SH COPYRIGHT |
| 87 | Copyright \(co 2011 The Chromium OS Authors |
| 88 | License BSD-like. |
| 89 | .SH "SEE ALSO" |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 90 | \fBlibminijail.h\fR \fBminijail0(5)\fR |