| Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 1 | .TH MINIJAIL0 "1" "July 2011" "Chromium OS" "User Commands" |
| 2 | .SH NAME |
| 3 | minijail0 \- sandbox a process |
| 4 | .SH DESCRIPTION |
| 5 | .PP |
| Mike Frysinger | 0fe4e4f | 2017-06-20 14:01:09 -0400 | [diff] [blame] | 6 | Runs PROGRAM inside a sandbox. See \fBminijail\fR(1) for details. |
| Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 7 | .SH EXAMPLES |
| 8 | |
| 9 | Safely switch from root to nobody while dropping all capabilities and |
| 10 | inheriting any groups from nobody: |
| 11 | |
| 12 | # minijail0 -c 0 -G -u nobody /usr/bin/whoami |
| 13 | nobody |
| 14 | |
| 15 | Run in a PID and VFS namespace without superuser capabilities (but still |
| 16 | as root) and with a private view of /proc: |
| 17 | |
| 18 | # minijail0 -p -v -r -c 0 /bin/ps |
| 19 | PID TTY TIME CMD |
| 20 | 1 pts/0 00:00:00 minijail0 |
| 21 | 2 pts/0 00:00:00 ps |
| 22 | |
| 23 | Running a process with a seccomp filter policy at reduced privileges: |
| 24 | |
| 25 | # minijail0 -S /usr/share/minijail0/$(uname -m)/cat.policy -- \\ |
| 26 | /bin/cat /proc/self/seccomp_filter |
| 27 | ... |
| 28 | |
| 29 | .SH SECCOMP_FILTER POLICY |
| 30 | The policy file supplied to the \fB-S\fR argument supports the following syntax: |
| 31 | |
| 32 | \fB<syscall_name>\fR:\fB<ftrace filter policy>\fR |
| 33 | \fB<syscall_number>\fR:\fB<ftrace filter policy>\fR |
| 34 | \fB<empty line>\fR |
| 35 | \fB# any single line comment\fR |
| 36 | |
| Mike Frysinger | 0fe4e4f | 2017-06-20 14:01:09 -0400 | [diff] [blame] | 37 | A policy that emulates \fBseccomp\fR(2) in mode 1 may look like: |
| Will Drewry | 32ac9f5 | 2011-08-18 21:36:27 -0500 | [diff] [blame] | 38 | read: 1 |
| 39 | write: 1 |
| 40 | sig_return: 1 |
| 41 | exit: 1 |
| 42 | |
| 43 | The "1" acts as a wildcard and allows any use of the mentioned system |
| 44 | call. More advanced filtering is possible if your kernel supports |
| 45 | CONFIG_FTRACE_SYSCALLS. For example, we can allow a process to open any |
| 46 | file read only and mmap PROT_READ only: |
| 47 | |
| 48 | # open with O_LARGEFILE|O_RDONLY|O_NONBLOCK or some combination |
| 49 | open: flags == 32768 || flags == 0 || flags == 34816 || flags == 2048 |
| 50 | mmap2: prot == 0x0 |
| 51 | munmap: 1 |
| 52 | close: 1 |
| 53 | |
| 54 | The supported arguments may be found by reviewing the system call |
| 55 | prototypes in the Linux kernel source code. Be aware that any |
| 56 | non-numeric comparison may be subject to time-of-check-time-of-use |
| 57 | attacks and cannot be considered safe. |
| 58 | |
| 59 | \fBexecve\fR may only be used when invoking with CAP_SYS_ADMIN privileges. |
| 60 | |
| 61 | .SH SECCOMP_FILTER POLICY WRITING |
| 62 | |
| 63 | Determining policy for seccomp_filter can be time consuming. System |
| 64 | calls are often named in arch-specific, or legacy tainted, ways. E.g., |
| 65 | geteuid versus geteuid32. On process death due to a seccomp filter |
| 66 | rule, the offending system call number will be supplied with a best |
| 67 | guess of the ABI defined name. This information may be used to produce |
| 68 | working baseline policies. However, if the process being contained has |
| 69 | a fairly tight working domain, using \fBstrace -e raw=all <program>\fR |
| 70 | can generate the list of system calls that are needed. Note that when |
| 71 | using libminijail or minijail with preloading, supporting initial |
| 72 | process setup calls will not be required. Be conservative. |
| 73 | |
| 74 | It's also possible to analyze the binary checking for all non-dead |
| 75 | functions and determining if any of them issue system calls. There is |
| 76 | no active implementation for this, but something like |
| 77 | code.google.com/p/seccompsandbox is one possible runtime variant. |
| 78 | |
| 79 | .SH AUTHOR |
| 80 | The Chromium OS Authors <chromiumos-dev@chromium.org> |
| 81 | .SH COPYRIGHT |
| 82 | Copyright \(co 2011 The Chromium OS Authors |
| 83 | License BSD-like. |
| 84 | .SH "SEE ALSO" |
| 85 | \fBminijail\fR(1) |