|
Name |
|
Date |
Size |
#Lines |
LOC |
| .. | | - | - |
| .github/workflows/ | | 03-May-2024 | - | 97 | 67 |
| examples/ | | 03-May-2024 | - | 94 | 59 |
| linux-x86/ | | 03-May-2024 | - | 6,665 | 6,658 |
| rust/ | | 03-May-2024 | - | 2,156 | 1,796 |
| test/ | | 03-May-2024 | - | 197 | 139 |
| tools/ | | 03-May-2024 | - | 4,963 | 3,840 |
| .clang-format | D | 03-May-2024 | 181 | 8 | 7 |
| .gitignore | D | 03-May-2024 | 610 | 48 | 35 |
| Android.bp | D | 03-May-2024 | 14 KiB | 557 | 498 |
| CPPLINT.cfg | D | 03-May-2024 | 17 | 2 | 1 |
| CleanSpec.mk | D | 03-May-2024 | 2.2 KiB | 52 | 1 |
| DIR_METADATA | D | 03-May-2024 | 515 | 18 | 14 |
| HACKING.md | D | 03-May-2024 | 2.9 KiB | 87 | 62 |
| LICENSE | D | 03-May-2024 | 1.5 KiB | 29 | 28 |
| METADATA | D | 03-May-2024 | 39 | 4 | 3 |
| MODULE_LICENSE_BSD | D | 03-May-2024 | 0 | | |
| Makefile | D | 03-May-2024 | 10.3 KiB | 300 | 167 |
| NOTICE | D | 03-May-2024 | 1.5 KiB | 28 | 27 |
| OWNERS | D | 03-May-2024 | 252 | 11 | 9 |
| OWNERS_GENERAL | D | 03-May-2024 | 58 | 4 | 3 |
| PRESUBMIT.cfg | D | 03-May-2024 | 264 | 12 | 8 |
| PREUPLOAD.cfg | D | 03-May-2024 | 219 | 9 | 6 |
| README.md | D | 03-May-2024 | 3.9 KiB | 117 | 80 |
| RELEASE.md | D | 03-May-2024 | 530 | 25 | 17 |
| TEST_MAPPING | D | 03-May-2024 | 495 | 31 | 30 |
| arch.h | D | 03-May-2024 | 2.7 KiB | 98 | 79 |
| bpf.c | D | 03-May-2024 | 10.2 KiB | 398 | 307 |
| bpf.h | D | 03-May-2024 | 6.4 KiB | 227 | 156 |
| common.mk | D | 03-May-2024 | 32.3 KiB | 953 | 561 |
| config_parser.c | D | 03-May-2024 | 3.7 KiB | 150 | 104 |
| config_parser.h | D | 03-May-2024 | 1.2 KiB | 56 | 26 |
| config_parser_unittest.cc | D | 03-May-2024 | 4 KiB | 133 | 103 |
| dump_constants.cc | D | 03-May-2024 | 1.5 KiB | 51 | 38 |
| elfparse.c | D | 03-May-2024 | 4.7 KiB | 119 | 88 |
| elfparse.h | D | 03-May-2024 | 3.9 KiB | 100 | 70 |
| gen_constants-inl.h | D | 03-May-2024 | 2.3 KiB | 80 | 57 |
| gen_constants.c | D | 03-May-2024 | 31 | 2 | 1 |
| gen_constants.sh | D | 03-May-2024 | 1.7 KiB | 62 | 33 |
| gen_syscalls-inl.h | D | 03-May-2024 | 2.3 KiB | 114 | 88 |
| gen_syscalls.c | D | 03-May-2024 | 24 | 2 | 1 |
| gen_syscalls.sh | D | 03-May-2024 | 1.5 KiB | 61 | 32 |
| get_googletest.sh | D | 03-May-2024 | 209 | 7 | 3 |
| landlock.h | D | 03-May-2024 | 3.2 KiB | 133 | 56 |
| landlock_util.c | D | 03-May-2024 | 1.7 KiB | 66 | 51 |
| landlock_util.h | D | 03-May-2024 | 2.7 KiB | 107 | 68 |
| libconstants.h | D | 03-May-2024 | 378 | 16 | 8 |
| libminijail-private.h | D | 03-May-2024 | 2.5 KiB | 93 | 22 |
| libminijail.c | D | 03-May-2024 | 100.7 KiB | 3,974 | 2,841 |
| libminijail.h | D | 03-May-2024 | 20.9 KiB | 560 | 152 |
| libminijail.pc.in | D | 03-May-2024 | 157 | 9 | 7 |
| libminijail_unittest.cc | D | 03-May-2024 | 53.1 KiB | 1,873 | 1,405 |
| libminijailpreload.c | D | 03-May-2024 | 4.9 KiB | 154 | 77 |
| libsyscalls.h | D | 03-May-2024 | 421 | 18 | 10 |
| minijail0.1 | D | 03-May-2024 | 17.2 KiB | 401 | 372 |
| minijail0.5 | D | 03-May-2024 | 6.9 KiB | 193 | 146 |
| minijail0.c | D | 03-May-2024 | 2.1 KiB | 84 | 52 |
| minijail0.sh | D | 03-May-2024 | 309 | 10 | 2 |
| minijail0_cli.c | D | 03-May-2024 | 36.9 KiB | 1,279 | 1,003 |
| minijail0_cli.h | D | 03-May-2024 | 652 | 29 | 15 |
| minijail0_cli_unittest.cc | D | 03-May-2024 | 17.7 KiB | 626 | 372 |
| navbar.md | D | 03-May-2024 | 348 | 12 | 9 |
| parse_seccomp_policy.cc | D | 03-May-2024 | 2.8 KiB | 111 | 86 |
| platform2_preinstall.sh | D | 03-May-2024 | 300 | 16 | 7 |
| scoped_minijail.h | D | 03-May-2024 | 616 | 33 | 18 |
| setup.py | D | 03-May-2024 | 1.8 KiB | 52 | 31 |
| signal_handler.c | D | 03-May-2024 | 1.6 KiB | 83 | 55 |
| signal_handler.h | D | 03-May-2024 | 319 | 15 | 4 |
| syscall_filter.c | D | 03-May-2024 | 23.7 KiB | 926 | 645 |
| syscall_filter.h | D | 03-May-2024 | 1.9 KiB | 87 | 62 |
| syscall_filter_unittest.cc | D | 03-May-2024 | 57.6 KiB | 2,016 | 1,434 |
| syscall_filter_unittest_macros.h | D | 03-May-2024 | 3.6 KiB | 126 | 101 |
| syscall_wrapper.c | D | 03-May-2024 | 852 | 35 | 21 |
| syscall_wrapper.h | D | 03-May-2024 | 968 | 45 | 28 |
| system.c | D | 03-May-2024 | 14.4 KiB | 568 | 358 |
| system.h | D | 03-May-2024 | 1.8 KiB | 81 | 45 |
| system_unittest.cc | D | 03-May-2024 | 8.6 KiB | 266 | 162 |
| test_util.cc | D | 03-May-2024 | 1.2 KiB | 61 | 45 |
| test_util.h | D | 03-May-2024 | 1.7 KiB | 70 | 30 |
| testrunner.cc | D | 03-May-2024 | 681 | 33 | 17 |
| unittest_util.h | D | 03-May-2024 | 2.4 KiB | 105 | 77 |
| util.c | D | 03-May-2024 | 15.5 KiB | 671 | 473 |
| util.h | D | 03-May-2024 | 11.7 KiB | 399 | 147 |
| util_unittest.cc | D | 03-May-2024 | 13.7 KiB | 445 | 352 |
README.md
1# Minijail
2
3The Minijail homepage is
4https://google.github.io/minijail/.
5
6The main source repo is
7https://chromium.googlesource.com/chromiumos/platform/minijail.
8
9There might be other copies floating around, but this is the official one!
10
11[TOC]
12
13## What is it?
14
15Minijail is a sandboxing and containment tool used in ChromeOS and Android.
16It provides an executable that can be used to launch and sandbox other programs,
17and a library that can be used by code to sandbox itself.
18
19## Getting the code
20
21You're one `git clone` away from happiness.
22
23```
24$ git clone https://chromium.googlesource.com/chromiumos/platform/minijail
25$ cd minijail
26```
27
28Releases are tagged as `linux-vXX`:
29https://chromium.googlesource.com/chromiumos/platform/minijail/+refs
30
31## Building
32
33See the [HACKING.md](./HACKING.md) document for more details.
34
35## Release process
36
37See the [RELEASE.md](./RELEASE.md) document for more details.
38
39## Additional tools
40
41See the [tools/README.md](./tools/README.md) document for more details.
42
43## Contact
44
45We've got a couple of contact points.
46
47* [minijail@chromium.org]: Public user & developer mailing list.
48* [minijail-users@google.com]: Internal Google user mailing list.
49* [minijail-dev@google.com]: Internal Google developer mailing list.
50* [crbug.com/list]: Existing bug reports & feature requests.
51* [crbug.com/new]: File new bug reports & feature requests.
52* [Chromium Gerrit]: Code reviews.
53
54[minijail@chromium.org]: https://groups.google.com/a/chromium.org/forum/#!forum/minijail
55[minijail-users@google.com]: https://groups.google.com/a/google.com/forum/#!forum/minijail-users
56[minijail-dev@google.com]: https://groups.google.com/a/google.com/forum/#!forum/minijail-dev
57[crbug.com/list]: https://crbug.com/?q=component:OS>Systems>Minijail
58[crbug.com/new]: https://bugs.chromium.org/p/chromium/issues/entry?components=OS>Systems>Minijail
59[Chromium Gerrit]: https://chromium-review.googlesource.com/q/project:chromiumos/platform/minijail
60
61## Talks and presentations
62
63The following talk serves as a good introduction to Minijail and how it can be used.
64
65[Video](https://drive.google.com/file/d/0BwPS_JpKyELWZTFBcTVsa1hhYjA/preview),
66[slides](https://docs.google.com/presentation/d/e/2PACX-1vRBqpin5xR9sng6lIBPjG0XQtu-uWWgr0ds-M3zW13XpDO-bTcMERLwoHUEB9078p1yqr9L-su9n5dk/pub).
67
68## Example usage
69
70The ChromiumOS project has a comprehensive
71[sandboxing](https://chromium.googlesource.com/chromiumos/docs/+/master/sandboxing.md)
72document that is largely based on Minijail.
73
74After you play with the simple examples below, you should check that out.
75
76### Change root to any user
77
78```
79# id
80uid=0(root) gid=0(root) groups=0(root),128(pkcs11)
81# minijail0 -u jorgelo -g 5000 /usr/bin/id
82uid=72178(jorgelo) gid=5000(eng) groups=5000(eng)
83```
84
85### Drop root while keeping some capabilities
86
87```
88# minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status
89Name: cat
90...
91CapInh: 0000000000003000
92CapPrm: 0000000000003000
93CapEff: 0000000000003000
94CapBnd: 0000000000003000
95```
96
97## Historical notes
98
99Q. "Why is it called minijail0?"
100
101A. It is minijail0 because it was a rewrite of an earlier program named
102minijail, which was considerably less mini, and in particular had a dependency
103on libchrome (the ChromeOS packaged version of Chromium's //base). We needed a
104new name to not collide with the deprecated one.
105
106We didn't want to call it minijail2 or something that would make people
107start using it before we were ready, and it was also concretely _less_ since it
108dropped libbase, etc. Technically, we needed to be able to fork/preload with
109minimal extra syscall noise which was too hard with libbase at the time (onexit
110handlers, etc that called syscalls we didn't want to allow). Also, Elly made a
111strong case that C would be the right choice for this for linking and ease of
112controlled surprise system call use.
113
114https://crrev.com/c/4585/ added the original implementation.
115
116Source: Conversations with original authors, ellyjones@ and wad@.
117