1# Minijail 2 3The Minijail homepage and main repo is 4https://android.googlesource.com/platform/external/minijail/. 5 6There might be other copies floating around, but this is the official one! 7 8[TOC] 9 10## What is it? 11 12Minijail is a sandboxing and containment tool used in Chrome OS and Android. 13It provides an executable that can be used to launch and sandbox other programs, 14and a library that can be used by code to sandbox itself. 15 16## Getting the code 17 18You're one `git clone` away from happiness. 19 20``` 21$ git clone https://android.googlesource.com/platform/external/minijail 22$ cd minijail 23``` 24 25Releases are tagged as `linux-vXX`: 26https://android.googlesource.com/platform/external/minijail/+refs 27 28## Building 29 30See the [HACKING.md](./HACKING.md) document for more details. 31 32## Release process 33 34See the [RELEASE.md](./RELEASE.md) document for more details. 35 36## Contact 37 38We've got a couple of contact points. 39 40* [minijail@chromium.org]: Public user & developer mailing list. 41* [minijail-users@google.com]: Internal Google user mailing list. 42* [minijail-dev@google.com]: Internal Google developer mailing list. 43* [crbug.com/list]: Existing bug reports & feature requests. 44* [crbug.com/new]: File new bug reports & feature requests. 45* [AOSP Gerrit]: Code reviews. 46 47[minijail@chromium.org]: https://groups.google.com/a/chromium.org/forum/#!forum/minijail 48[minijail-users@google.com]: https://groups.google.com/a/google.com/forum/#!forum/minijail-users 49[minijail-dev@google.com]: https://groups.google.com/a/google.com/forum/#!forum/minijail-dev 50[crbug.com/list]: https://crbug.com/?q=component:OS>Systems>Minijail 51[crbug.com/new]: https://bugs.chromium.org/p/chromium/issues/entry?components=OS>Systems>Minijail 52[AOSP Gerrit]: https://android-review.googlesource.com/q/project:platform/external/minijail 53 54## Talks and presentations 55 56The following talk serves as a good introduction to Minijail and how it can be used. 57 58[Video](https://drive.google.com/file/d/0BwPS_JpKyELWZTFBcTVsa1hhYjA/preview), 59[slides](https://docs.google.com/presentation/d/1r6LpvDZtYrsl7ryOV4HtpUR-phfCLRL6PA-chcL1Kno/present). 60 61## Example usage 62 63The Chromium OS project has a comprehensive 64[sandboxing](https://chromium.googlesource.com/chromiumos/docs/+/master/sandboxing.md) 65document that is largely based on Minijail. 66 67After you play with the simple examples below, you should check that out. 68 69### Change root to any user 70 71``` 72# id 73uid=0(root) gid=0(root) groups=0(root),128(pkcs11) 74# minijail0 -u jorgelo -g 5000 /usr/bin/id 75uid=72178(jorgelo) gid=5000(eng) groups=5000(eng) 76``` 77 78### Drop root while keeping some capabilities 79 80``` 81# minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status 82Name: cat 83... 84CapInh: 0000000000003000 85CapPrm: 0000000000003000 86CapEff: 0000000000003000 87CapBnd: 0000000000003000 88``` 89