• Home
Name Date Size #Lines LOC

..--

.github/workflows/03-May-2024-9767

examples/03-May-2024-9459

linux-x86/03-May-2024-6,6656,658

rust/03-May-2024-1,9951,651

test/03-May-2024-190133

tools/03-May-2024-4,9543,852

.clang-formatD03-May-2024181 87

.gitignoreD03-May-2024610 4835

Android.bpD03-May-202415.1 KiB605543

CPPLINT.cfgD03-May-202417 21

CleanSpec.mkD03-May-20242.2 KiB521

DIR_METADATAD03-May-2024515 1814

HACKING.mdD03-May-20242.9 KiB8762

LICENSED03-May-20241.5 KiB2928

METADATAD03-May-202439 43

MODULE_LICENSE_BSDD03-May-20240

MakefileD03-May-20248.3 KiB260157

NOTICED03-May-20241.5 KiB2827

OWNERSD03-May-202486 65

OWNERS_GENERALD03-May-202458 43

PRESUBMIT.cfgD03-May-2024264 128

PREUPLOAD.cfgD03-May-2024133 64

README.mdD03-May-20245.5 KiB165118

RELEASE.mdD03-May-2024530 2517

TEST_MAPPINGD03-May-2024495 3130

arch.hD03-May-20242.7 KiB9879

bpf.cD03-May-202410.2 KiB398307

bpf.hD03-May-20246.4 KiB227156

common.mkD03-May-202432.3 KiB953561

config_parser.cD03-May-20243.6 KiB149104

config_parser.hD03-May-20241.3 KiB5626

config_parser_unittest.ccD03-May-20244 KiB133103

dump_constants.ccD03-May-20241.5 KiB5138

elfparse.cD03-May-20244.8 KiB11988

elfparse.hD03-May-20244 KiB10070

gen_constants-inl.hD03-May-20242.3 KiB7654

gen_constants.cD03-May-202431 21

gen_constants.shD03-May-20241.7 KiB6233

gen_syscalls-inl.hD03-May-20241.8 KiB8058

gen_syscalls.cD03-May-202424 21

gen_syscalls.shD03-May-20241.6 KiB6132

get_googletest.shD03-May-2024209 73

libconstants.hD03-May-2024401 168

libminijail-private.hD03-May-20242.6 KiB9322

libminijail.cD03-May-202493.1 KiB3,6912,649

libminijail.hD03-May-202419.9 KiB535143

libminijail.pc.inD03-May-2024157 97

libminijail_unittest.ccD03-May-202440.6 KiB1,4421,062

libminijailpreload.cD03-May-20244.9 KiB15477

libsyscalls.hD03-May-2024448 1810

minijail0.1D03-May-202417.2 KiB401372

minijail0.5D03-May-20246.8 KiB192145

minijail0.cD03-May-20242.1 KiB8452

minijail0.shD03-May-2024332 102

minijail0_cli.cD03-May-202435.7 KiB1,242966

minijail0_cli.hD03-May-2024675 2915

minijail0_cli_unittest.ccD03-May-202417.3 KiB609360

navbar.mdD03-May-2024348 129

parse_seccomp_policy.ccD03-May-20242.8 KiB11186

platform2_preinstall.shD03-May-2024323 167

scoped_minijail.hD03-May-2024639 3318

setup.pyD03-May-20241.8 KiB5231

signal_handler.cD03-May-20241.6 KiB8355

signal_handler.hD03-May-2024346 154

syscall_filter.cD03-May-202423.7 KiB926645

syscall_filter.hD03-May-20241.9 KiB8762

syscall_filter_unittest.ccD03-May-202457.6 KiB2,0161,434

syscall_filter_unittest_macros.hD03-May-20243.6 KiB126101

syscall_wrapper.cD03-May-2024875 3521

syscall_wrapper.hD03-May-2024991 4528

system.cD03-May-202414 KiB545341

system.hD03-May-20241.6 KiB6943

system_unittest.ccD03-May-202410.5 KiB334220

test_util.ccD03-May-20241.2 KiB6145

test_util.hD03-May-20241.7 KiB7030

testrunner.ccD03-May-2024704 3317

util.cD03-May-202415.2 KiB650460

util.hD03-May-202411 KiB365125

util_unittest.ccD03-May-202413.1 KiB431340

README.md

1# Minijail
2
3The Minijail homepage is
4https://google.github.io/minijail/.
5
6The main source repo is
7https://android.googlesource.com/platform/external/minijail/.
8
9There might be other copies floating around, but this is the official one!
10
11[TOC]
12
13## What is it?
14
15Minijail is a sandboxing and containment tool used in Chrome OS and Android.
16It provides an executable that can be used to launch and sandbox other programs,
17and a library that can be used by code to sandbox itself.
18
19## Getting the code
20
21You're one `git clone` away from happiness.
22
23```
24$ git clone https://android.googlesource.com/platform/external/minijail
25$ cd minijail
26```
27
28Releases are tagged as `linux-vXX`:
29https://android.googlesource.com/platform/external/minijail/+refs
30
31## Building
32
33See the [HACKING.md](./HACKING.md) document for more details.
34
35## Release process
36
37See the [RELEASE.md](./RELEASE.md) document for more details.
38
39## Additional tools
40
41See the [tools/README.md](./tools/README.md) document for more details.
42
43## Contact
44
45We've got a couple of contact points.
46
47* [minijail@chromium.org]: Public user & developer mailing list.
48* [minijail-users@google.com]: Internal Google user mailing list.
49* [minijail-dev@google.com]: Internal Google developer mailing list.
50* [crbug.com/list]: Existing bug reports & feature requests.
51* [crbug.com/new]: File new bug reports & feature requests.
52* [AOSP Gerrit]: Code reviews.
53
54[minijail@chromium.org]: https://groups.google.com/a/chromium.org/forum/#!forum/minijail
55[minijail-users@google.com]: https://groups.google.com/a/google.com/forum/#!forum/minijail-users
56[minijail-dev@google.com]: https://groups.google.com/a/google.com/forum/#!forum/minijail-dev
57[crbug.com/list]: https://crbug.com/?q=component:OS>Systems>Minijail
58[crbug.com/new]: https://bugs.chromium.org/p/chromium/issues/entry?components=OS>Systems>Minijail
59[AOSP Gerrit]: https://android-review.googlesource.com/q/project:platform/external/minijail
60
61## Talks and presentations
62
63The following talk serves as a good introduction to Minijail and how it can be used.
64
65[Video](https://drive.google.com/file/d/0BwPS_JpKyELWZTFBcTVsa1hhYjA/preview),
66[slides](https://docs.google.com/presentation/d/e/2PACX-1vRBqpin5xR9sng6lIBPjG0XQtu-uWWgr0ds-M3zW13XpDO-bTcMERLwoHUEB9078p1yqr9L-su9n5dk/pub).
67
68## Example usage
69
70The Chromium OS project has a comprehensive
71[sandboxing](https://chromium.googlesource.com/chromiumos/docs/+/master/sandboxing.md)
72document that is largely based on Minijail.
73
74After you play with the simple examples below, you should check that out.
75
76### Change root to any user
77
78```
79# id
80uid=0(root) gid=0(root) groups=0(root),128(pkcs11)
81# minijail0 -u jorgelo -g 5000 /usr/bin/id
82uid=72178(jorgelo) gid=5000(eng) groups=5000(eng)
83```
84
85### Drop root while keeping some capabilities
86
87```
88# minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status
89Name: cat
90...
91CapInh: 0000000000003000
92CapPrm: 0000000000003000
93CapEff: 0000000000003000
94CapBnd: 0000000000003000
95```
96
97## Historical notes
98
99Q. "Why is it called minijail0?"
100
101A. It is minijail0 because it was a rewrite of an earlier program named
102minijail, which was considerably less mini, and in particular had a dependency
103on libchrome (the Chrome OS packaged version of Chromium's //base).  We needed a
104new name to not collide with the deprecated one.
105
106We didn't want to call it minijail2 or something that would make people
107start using it before we were ready, and it was also concretely _less_ since it
108dropped libbase, etc.  Technically, we needed to be able to fork/preload with
109minimal extra syscall noise which was too hard with libbase at the time (onexit
110handlers, etc that called syscalls we didn't want to allow).  Also, Elly made a
111strong case that C would be the right choice for this for linking and ease of
112controlled surprise system call use.
113
114https://crrev.com/c/4585/ added the original implementation.
115
116Source: Conversations with original authors, ellyjones@ and wad@.
117
118## How to manually upgrade Minijail on Chrome OS
119
120Minijail is manually upgraded on Chrome OS so that there is a way to test
121changes in the Chrome OS commit queue. Committed changes have already passed
122Android's presubmit checks, but the ebuild upgrade CL goes through the Chrome
123OS commit queue and must pass the tests before any additional changes are
124available for use on Chrome OS. To upgrade minijail on Chrome OS, complete the
125following steps.
126
127```bash
128# Sync Minijail repo
129cd ~/chromiumos/src/aosp/external/minijail
130git checkout m/main
131repo sync .
132
133# Set up local branch.
134cd ~/trunk/src/third_party/chromiumos-overlay/
135repo start minijail .  # replace minijail with the local branch name you want.
136
137# Run upgrade script.
138~/trunk/chromite/scripts/cros_uprev --force --overlay-type public \
139  --packages chromeos-base/minijail:dev-rust/minijail-sys:dev-rust/minijail
140```
141
142At this point the Minijail-related packages should be upgraded, so you may want
143to add the changes to a commit and do some local testing before uploading a
144change list. Here are the recommended local tests to try (make sure you are
145**not** working on the minijail packages first i.e. `cros_workon list-all`):
146
147```bash
148# Check build.
149./build_packages --board=${BOARD}
150
151# Check unit tests.
152FEATURES=test emerge-${BOARD} chromeos-base/minijail dev-rust/minijail-sys \
153  dev-rust/minijail
154
155# Check integration tests.
156cros deploy <DUT> chromeos-base/minijail
157tast run <DUT> security.Minijail.* security.MinijailSeccomp
158```
159
160Finally, when uploading the CL make sure to include the list of changes
161since the last uprev. The command to generate the list is as follows:
162```bash
163git log --oneline --no-merges <previous hash in ebuild file>..HEAD
164```
165