Elly Jones | e58176c | 2012-01-23 11:46:17 -0500 | [diff] [blame] | 1 | .TH MINIJAIL0 "1" "January 2012" "Chromium OS" "User Commands" |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 2 | .SH NAME |
| 3 | minijail0 \- sandbox a process |
| 4 | .SH SYNOPSIS |
| 5 | .B minijail0 |
| 6 | [\fIOPTION\fR]... <\fIprogram\fR> [\fIargs\fR]... |
| 7 | .SH DESCRIPTION |
| 8 | .PP |
| 9 | Runs PROGRAM inside a sandbox. |
| 10 | .TP |
Andrew Bresticker | eac2894 | 2015-11-11 16:04:46 -0800 | [diff] [blame] | 11 | \fB-a <table>\fR |
| 12 | Run using the alternate syscall table named <table>. Only available on kernels |
| 13 | and architectures that support the PR_ALT_SYSCALL option of prctl(2). |
| 14 | .TP |
Elly Jones | 51a5b6c | 2011-10-12 19:09:26 -0400 | [diff] [blame] | 15 | \fB-b <src>,<dest>[,<writeable>] |
| 16 | Bind-mount <src> into the chroot directory at <dest>, optionally writeable. |
| 17 | .TP |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 18 | \fB-c <caps>\fR |
| 19 | Restrict capabilities to \fIcaps\fR. When used in conjunction with \fB-u\fR and |
| 20 | \fB-g\fR, this allows a program to have access to only certain parts of root's |
| 21 | default privileges while running as another user and group ID altogether. Note |
| 22 | that these capabilities are not inherited by subprocesses of the process given |
| 23 | capabilities unless those subprocesses have POSIX file capabilities. See |
| 24 | \fBcapabilities\fR(7). |
| 25 | .TP |
Dylan Reid | 6cae0b2 | 2015-11-18 18:47:49 -0800 | [diff] [blame] | 26 | \fB-C <dir>\fR |
| 27 | Change root (using chroot(2)) to <dir>. |
| 28 | .TP |
| 29 | \fB-e[file]\fR |
| 30 | Enter a new network namespace, or if \fIfile\fR is specified, Enter an existing |
| 31 | network namespace specified by \fIfile\fR which is typically of the form |
| 32 | /proc/<pid>/ns/net. |
| 33 | .TP |
| 34 | \fB-f <file>\fR |
| 35 | Write the pid of the jailed process to \fIfile\fR. |
| 36 | .TP |
| 37 | \fB-t\fR |
| 38 | Mounts a tmpfs filesystem on /tmp. /tmp must exist in the chroot. |
| 39 | This must be used with -C. The default filesystem has a max size of 128M |
| 40 | and has standard /tmp permissions (777). |
| 41 | .TP |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 42 | \fB-G\fR |
| 43 | Inherit all the supplementary groups of the user specified with \fB-u\fR. It |
| 44 | is an error to use this option without having specified a \fBuser name\fR to |
| 45 | \fB-u\fR. |
| 46 | .TP |
| 47 | \fB-g <group>\fR |
| 48 | Change groups to \fIgroup\fR, which may be either a group name or a numeric |
| 49 | group ID. |
| 50 | .TP |
| 51 | \fB-h\fR |
| 52 | Print a help message. |
| 53 | .TP |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 54 | \fB-H\fR |
| 55 | Print a help message detailing supported system call names for seccomp_filter. |
| 56 | (Other direct numbers may be specified if minijail0 is not in sync with the |
| 57 | host kernel or something like 32/64-bit compatibility issues exist.) |
| 58 | .TP |
Dylan Reid | f794247 | 2015-11-18 17:55:26 -0800 | [diff] [blame] | 59 | \fB-l\fR |
| 60 | Run inside a new IPC namespace. This option makes the program's System V IPC |
| 61 | namespace independent. |
| 62 | .TP |
Dylan Reid | 6cae0b2 | 2015-11-18 18:47:49 -0800 | [diff] [blame] | 63 | \fB-m "<uid> <loweruid> <count>[,<uid> <loweruid> <count>]"\fR |
| 64 | Set the uid mapping of a user namespace (implies \fB-pU\fR). Same arguments as |
| 65 | \fBnewuidmap(1)\fR. Multiple mappings should be separated by ','. |
| 66 | .TP |
| 67 | \fB-M "<uid> <loweruid> <count>[,<uid> <loweruid> <count>]"\fR |
| 68 | Set the gid mapping of a user namespace (implies \fB-pU\fR). Same arguments as |
| 69 | \fBnewgidmap(1)\fR. Multiple mappings should be separated by ','. |
| 70 | .TP |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 71 | \fB-p\fR |
| 72 | Run inside a new PID namespace. This option will make it impossible for the |
Elly Jones | e58176c | 2012-01-23 11:46:17 -0500 | [diff] [blame] | 73 | program to see or affect processes that are not its descendants. This implies |
| 74 | \fB-v\fR and \fB-r\fR, since otherwise the process can see outside its namespace |
| 75 | by inspecting /proc. |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 76 | .TP |
Dylan Reid | 6cae0b2 | 2015-11-18 18:47:49 -0800 | [diff] [blame] | 77 | \fB-P <dir>\fR |
| 78 | Set \fIdir\fR as the root fs using \fBpivot_root\fR. Implies \fB-v\fR, not |
| 79 | compatible with \fB-C\fR. |
| 80 | .TP |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 81 | \fB-r\fR |
Dylan Reid | 6cae0b2 | 2015-11-18 18:47:49 -0800 | [diff] [blame] | 82 | Remount /proc readonly. This implies \fB-v\fR. Remounting /proc readonly means |
| 83 | that even if the process has write access to a system config knob in /proc |
| 84 | (e.g., in /sys/kernel), it cannot change the value. |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 85 | .TP |
| 86 | \fB-s\fR |
| 87 | Enable seccomp(2) in mode 1, which restricts the child process to a very small |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 88 | set of system calls. |
| 89 | .TP |
| 90 | \fB-S <arch-specific seccomp_filter policy file>\fR |
| 91 | Enable seccomp(2) in mode 13 which restricts the child process to a set of |
| 92 | system calls defined in the policy file. Note that system calls often change |
| 93 | names based on the architecture or mode. (uname -m is your friend.) |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 94 | .TP |
| 95 | \fB-u <user>\fR |
| 96 | Change users to \fIuser\fR, which may be either a user name or a numeric user |
| 97 | ID. |
| 98 | .TP |
| 99 | \fB-v\fR |
| 100 | Run inside a new VFS namespace. This option makes the program's mountpoints |
| 101 | independent of the rest of the system's. |
Dylan Reid | 6cae0b2 | 2015-11-18 18:47:49 -0800 | [diff] [blame] | 102 | .TP |
| 103 | \fB-V <file>\fR |
| 104 | Enter the VFS namespace specified by \fIfile\fR. |
Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame] | 105 | .SH IMPLEMENTATION |
| 106 | This program is broken up into two parts: \fBminijail0\fR (the frontend) and a helper |
| 107 | library called \fBlibminijailpreload\fR. Some jailings can only be achieved from |
| 108 | the process to which they will actually apply - specifically capability use |
| 109 | (since capabilities are not inherited to an exec'd process unless the exec'd |
| 110 | process has POSIX file capabilities), seccomp (since we can't exec() once we're |
| 111 | seccomp'd), and ptrace-disable (which is always cleared on exec(). |
| 112 | |
| 113 | To this end, \fBlibminijailpreload\fR is forcibly loaded into all |
| 114 | dynamically-linked target programs if any of these restrictions are in effect; |
| 115 | we pass the specific restrictions in an environment variable which the preloaded |
| 116 | library looks for. The forcibly-loaded library then applies the restrictions |
| 117 | to the newly-loaded program. |
| 118 | .SH AUTHOR |
| 119 | Written by Elly Jones (ellyjones@chromium.org) |
| 120 | .SH COPYRIGHT |
| 121 | Copyright \(co 2011 The Chromium OS Authors |
| 122 | License BSD-like. |
| 123 | .SH "SEE ALSO" |
Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 124 | \fBlibminijail.h\fR \fBminijail0(5)\fR |