|
Name |
|
Date |
Size |
#Lines |
LOC |
| .. | | - | - |
| .github/workflows/ | | 03-May-2024 | - | 97 | 67 |
| examples/ | | 03-May-2024 | - | 94 | 59 |
| linux-x86/ | | 03-May-2024 | - | 6,665 | 6,658 |
| rust/ | | 03-May-2024 | - | 1,995 | 1,651 |
| test/ | | 03-May-2024 | - | 190 | 133 |
| tools/ | | 03-May-2024 | - | 4,954 | 3,852 |
| .clang-format | D | 03-May-2024 | 181 | 8 | 7 |
| .gitignore | D | 03-May-2024 | 610 | 48 | 35 |
| Android.bp | D | 03-May-2024 | 15.1 KiB | 605 | 543 |
| CPPLINT.cfg | D | 03-May-2024 | 17 | 2 | 1 |
| CleanSpec.mk | D | 03-May-2024 | 2.2 KiB | 52 | 1 |
| DIR_METADATA | D | 03-May-2024 | 515 | 18 | 14 |
| HACKING.md | D | 03-May-2024 | 2.9 KiB | 87 | 62 |
| LICENSE | D | 03-May-2024 | 1.5 KiB | 29 | 28 |
| METADATA | D | 03-May-2024 | 39 | 4 | 3 |
| MODULE_LICENSE_BSD | D | 03-May-2024 | 0 | | |
| Makefile | D | 03-May-2024 | 8.3 KiB | 260 | 157 |
| NOTICE | D | 03-May-2024 | 1.5 KiB | 28 | 27 |
| OWNERS | D | 03-May-2024 | 86 | 6 | 5 |
| OWNERS_GENERAL | D | 03-May-2024 | 58 | 4 | 3 |
| PRESUBMIT.cfg | D | 03-May-2024 | 264 | 12 | 8 |
| PREUPLOAD.cfg | D | 03-May-2024 | 133 | 6 | 4 |
| README.md | D | 03-May-2024 | 5.5 KiB | 165 | 118 |
| RELEASE.md | D | 03-May-2024 | 530 | 25 | 17 |
| TEST_MAPPING | D | 03-May-2024 | 495 | 31 | 30 |
| arch.h | D | 03-May-2024 | 2.7 KiB | 98 | 79 |
| bpf.c | D | 03-May-2024 | 10.2 KiB | 398 | 307 |
| bpf.h | D | 03-May-2024 | 6.4 KiB | 227 | 156 |
| common.mk | D | 03-May-2024 | 32.3 KiB | 953 | 561 |
| config_parser.c | D | 03-May-2024 | 3.6 KiB | 149 | 104 |
| config_parser.h | D | 03-May-2024 | 1.3 KiB | 56 | 26 |
| config_parser_unittest.cc | D | 03-May-2024 | 4 KiB | 133 | 103 |
| dump_constants.cc | D | 03-May-2024 | 1.5 KiB | 51 | 38 |
| elfparse.c | D | 03-May-2024 | 4.8 KiB | 119 | 88 |
| elfparse.h | D | 03-May-2024 | 4 KiB | 100 | 70 |
| gen_constants-inl.h | D | 03-May-2024 | 2.3 KiB | 76 | 54 |
| gen_constants.c | D | 03-May-2024 | 31 | 2 | 1 |
| gen_constants.sh | D | 03-May-2024 | 1.7 KiB | 62 | 33 |
| gen_syscalls-inl.h | D | 03-May-2024 | 1.8 KiB | 80 | 58 |
| gen_syscalls.c | D | 03-May-2024 | 24 | 2 | 1 |
| gen_syscalls.sh | D | 03-May-2024 | 1.6 KiB | 61 | 32 |
| get_googletest.sh | D | 03-May-2024 | 209 | 7 | 3 |
| libconstants.h | D | 03-May-2024 | 401 | 16 | 8 |
| libminijail-private.h | D | 03-May-2024 | 2.6 KiB | 93 | 22 |
| libminijail.c | D | 03-May-2024 | 93.1 KiB | 3,691 | 2,649 |
| libminijail.h | D | 03-May-2024 | 19.9 KiB | 535 | 143 |
| libminijail.pc.in | D | 03-May-2024 | 157 | 9 | 7 |
| libminijail_unittest.cc | D | 03-May-2024 | 40.6 KiB | 1,442 | 1,062 |
| libminijailpreload.c | D | 03-May-2024 | 4.9 KiB | 154 | 77 |
| libsyscalls.h | D | 03-May-2024 | 448 | 18 | 10 |
| minijail0.1 | D | 03-May-2024 | 17.2 KiB | 401 | 372 |
| minijail0.5 | D | 03-May-2024 | 6.8 KiB | 192 | 145 |
| minijail0.c | D | 03-May-2024 | 2.1 KiB | 84 | 52 |
| minijail0.sh | D | 03-May-2024 | 332 | 10 | 2 |
| minijail0_cli.c | D | 03-May-2024 | 35.7 KiB | 1,242 | 966 |
| minijail0_cli.h | D | 03-May-2024 | 675 | 29 | 15 |
| minijail0_cli_unittest.cc | D | 03-May-2024 | 17.3 KiB | 609 | 360 |
| navbar.md | D | 03-May-2024 | 348 | 12 | 9 |
| parse_seccomp_policy.cc | D | 03-May-2024 | 2.8 KiB | 111 | 86 |
| platform2_preinstall.sh | D | 03-May-2024 | 323 | 16 | 7 |
| scoped_minijail.h | D | 03-May-2024 | 639 | 33 | 18 |
| setup.py | D | 03-May-2024 | 1.8 KiB | 52 | 31 |
| signal_handler.c | D | 03-May-2024 | 1.6 KiB | 83 | 55 |
| signal_handler.h | D | 03-May-2024 | 346 | 15 | 4 |
| syscall_filter.c | D | 03-May-2024 | 23.7 KiB | 926 | 645 |
| syscall_filter.h | D | 03-May-2024 | 1.9 KiB | 87 | 62 |
| syscall_filter_unittest.cc | D | 03-May-2024 | 57.6 KiB | 2,016 | 1,434 |
| syscall_filter_unittest_macros.h | D | 03-May-2024 | 3.6 KiB | 126 | 101 |
| syscall_wrapper.c | D | 03-May-2024 | 875 | 35 | 21 |
| syscall_wrapper.h | D | 03-May-2024 | 991 | 45 | 28 |
| system.c | D | 03-May-2024 | 14 KiB | 545 | 341 |
| system.h | D | 03-May-2024 | 1.6 KiB | 69 | 43 |
| system_unittest.cc | D | 03-May-2024 | 10.5 KiB | 334 | 220 |
| test_util.cc | D | 03-May-2024 | 1.2 KiB | 61 | 45 |
| test_util.h | D | 03-May-2024 | 1.7 KiB | 70 | 30 |
| testrunner.cc | D | 03-May-2024 | 704 | 33 | 17 |
| util.c | D | 03-May-2024 | 15.2 KiB | 650 | 460 |
| util.h | D | 03-May-2024 | 11 KiB | 365 | 125 |
| util_unittest.cc | D | 03-May-2024 | 13.1 KiB | 431 | 340 |
README.md
1# Minijail
2
3The Minijail homepage is
4https://google.github.io/minijail/.
5
6The main source repo is
7https://android.googlesource.com/platform/external/minijail/.
8
9There might be other copies floating around, but this is the official one!
10
11[TOC]
12
13## What is it?
14
15Minijail is a sandboxing and containment tool used in Chrome OS and Android.
16It provides an executable that can be used to launch and sandbox other programs,
17and a library that can be used by code to sandbox itself.
18
19## Getting the code
20
21You're one `git clone` away from happiness.
22
23```
24$ git clone https://android.googlesource.com/platform/external/minijail
25$ cd minijail
26```
27
28Releases are tagged as `linux-vXX`:
29https://android.googlesource.com/platform/external/minijail/+refs
30
31## Building
32
33See the [HACKING.md](./HACKING.md) document for more details.
34
35## Release process
36
37See the [RELEASE.md](./RELEASE.md) document for more details.
38
39## Additional tools
40
41See the [tools/README.md](./tools/README.md) document for more details.
42
43## Contact
44
45We've got a couple of contact points.
46
47* [minijail@chromium.org]: Public user & developer mailing list.
48* [minijail-users@google.com]: Internal Google user mailing list.
49* [minijail-dev@google.com]: Internal Google developer mailing list.
50* [crbug.com/list]: Existing bug reports & feature requests.
51* [crbug.com/new]: File new bug reports & feature requests.
52* [AOSP Gerrit]: Code reviews.
53
54[minijail@chromium.org]: https://groups.google.com/a/chromium.org/forum/#!forum/minijail
55[minijail-users@google.com]: https://groups.google.com/a/google.com/forum/#!forum/minijail-users
56[minijail-dev@google.com]: https://groups.google.com/a/google.com/forum/#!forum/minijail-dev
57[crbug.com/list]: https://crbug.com/?q=component:OS>Systems>Minijail
58[crbug.com/new]: https://bugs.chromium.org/p/chromium/issues/entry?components=OS>Systems>Minijail
59[AOSP Gerrit]: https://android-review.googlesource.com/q/project:platform/external/minijail
60
61## Talks and presentations
62
63The following talk serves as a good introduction to Minijail and how it can be used.
64
65[Video](https://drive.google.com/file/d/0BwPS_JpKyELWZTFBcTVsa1hhYjA/preview),
66[slides](https://docs.google.com/presentation/d/e/2PACX-1vRBqpin5xR9sng6lIBPjG0XQtu-uWWgr0ds-M3zW13XpDO-bTcMERLwoHUEB9078p1yqr9L-su9n5dk/pub).
67
68## Example usage
69
70The Chromium OS project has a comprehensive
71[sandboxing](https://chromium.googlesource.com/chromiumos/docs/+/master/sandboxing.md)
72document that is largely based on Minijail.
73
74After you play with the simple examples below, you should check that out.
75
76### Change root to any user
77
78```
79# id
80uid=0(root) gid=0(root) groups=0(root),128(pkcs11)
81# minijail0 -u jorgelo -g 5000 /usr/bin/id
82uid=72178(jorgelo) gid=5000(eng) groups=5000(eng)
83```
84
85### Drop root while keeping some capabilities
86
87```
88# minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status
89Name: cat
90...
91CapInh: 0000000000003000
92CapPrm: 0000000000003000
93CapEff: 0000000000003000
94CapBnd: 0000000000003000
95```
96
97## Historical notes
98
99Q. "Why is it called minijail0?"
100
101A. It is minijail0 because it was a rewrite of an earlier program named
102minijail, which was considerably less mini, and in particular had a dependency
103on libchrome (the Chrome OS packaged version of Chromium's //base). We needed a
104new name to not collide with the deprecated one.
105
106We didn't want to call it minijail2 or something that would make people
107start using it before we were ready, and it was also concretely _less_ since it
108dropped libbase, etc. Technically, we needed to be able to fork/preload with
109minimal extra syscall noise which was too hard with libbase at the time (onexit
110handlers, etc that called syscalls we didn't want to allow). Also, Elly made a
111strong case that C would be the right choice for this for linking and ease of
112controlled surprise system call use.
113
114https://crrev.com/c/4585/ added the original implementation.
115
116Source: Conversations with original authors, ellyjones@ and wad@.
117
118## How to manually upgrade Minijail on Chrome OS
119
120Minijail is manually upgraded on Chrome OS so that there is a way to test
121changes in the Chrome OS commit queue. Committed changes have already passed
122Android's presubmit checks, but the ebuild upgrade CL goes through the Chrome
123OS commit queue and must pass the tests before any additional changes are
124available for use on Chrome OS. To upgrade minijail on Chrome OS, complete the
125following steps.
126
127```bash
128# Sync Minijail repo
129cd ~/chromiumos/src/aosp/external/minijail
130git checkout m/main
131repo sync .
132
133# Set up local branch.
134cd ~/trunk/src/third_party/chromiumos-overlay/
135repo start minijail . # replace minijail with the local branch name you want.
136
137# Run upgrade script.
138~/trunk/chromite/scripts/cros_uprev --force --overlay-type public \
139 --packages chromeos-base/minijail:dev-rust/minijail-sys:dev-rust/minijail
140```
141
142At this point the Minijail-related packages should be upgraded, so you may want
143to add the changes to a commit and do some local testing before uploading a
144change list. Here are the recommended local tests to try (make sure you are
145**not** working on the minijail packages first i.e. `cros_workon list-all`):
146
147```bash
148# Check build.
149./build_packages --board=${BOARD}
150
151# Check unit tests.
152FEATURES=test emerge-${BOARD} chromeos-base/minijail dev-rust/minijail-sys \
153 dev-rust/minijail
154
155# Check integration tests.
156cros deploy <DUT> chromeos-base/minijail
157tast run <DUT> security.Minijail.* security.MinijailSeccomp
158```
159
160Finally, when uploading the CL make sure to include the list of changes
161since the last uprev. The command to generate the list is as follows:
162```bash
163git log --oneline --no-merges <previous hash in ebuild file>..HEAD
164```
165