• Home
Name Date Size #Lines LOC

..--

.github/workflows/03-May-2024-9767

examples/03-May-2024-9459

linux-x86/03-May-2024-6,6656,658

rust/03-May-2024-2,1561,796

test/03-May-2024-197139

tools/03-May-2024-4,9633,840

.clang-formatD03-May-2024181 87

.gitignoreD03-May-2024610 4835

Android.bpD03-May-202414 KiB557498

CPPLINT.cfgD03-May-202417 21

CleanSpec.mkD03-May-20242.2 KiB521

DIR_METADATAD03-May-2024515 1814

HACKING.mdD03-May-20242.9 KiB8762

LICENSED03-May-20241.5 KiB2928

METADATAD03-May-202439 43

MODULE_LICENSE_BSDD03-May-20240

MakefileD03-May-202410.3 KiB300167

NOTICED03-May-20241.5 KiB2827

OWNERSD03-May-2024252 119

OWNERS_GENERALD03-May-202458 43

PRESUBMIT.cfgD03-May-2024264 128

PREUPLOAD.cfgD03-May-2024219 96

README.mdD03-May-20243.9 KiB11780

RELEASE.mdD03-May-2024530 2517

TEST_MAPPINGD03-May-2024495 3130

arch.hD03-May-20242.7 KiB9879

bpf.cD03-May-202410.2 KiB398307

bpf.hD03-May-20246.4 KiB227156

common.mkD03-May-202432.3 KiB953561

config_parser.cD03-May-20243.7 KiB150104

config_parser.hD03-May-20241.2 KiB5626

config_parser_unittest.ccD03-May-20244 KiB133103

dump_constants.ccD03-May-20241.5 KiB5138

elfparse.cD03-May-20244.7 KiB11988

elfparse.hD03-May-20243.9 KiB10070

gen_constants-inl.hD03-May-20242.3 KiB8057

gen_constants.cD03-May-202431 21

gen_constants.shD03-May-20241.7 KiB6233

gen_syscalls-inl.hD03-May-20242.3 KiB11488

gen_syscalls.cD03-May-202424 21

gen_syscalls.shD03-May-20241.5 KiB6132

get_googletest.shD03-May-2024209 73

landlock.hD03-May-20243.2 KiB13356

landlock_util.cD03-May-20241.7 KiB6651

landlock_util.hD03-May-20242.7 KiB10768

libconstants.hD03-May-2024378 168

libminijail-private.hD03-May-20242.5 KiB9322

libminijail.cD03-May-2024100.7 KiB3,9742,841

libminijail.hD03-May-202420.9 KiB560152

libminijail.pc.inD03-May-2024157 97

libminijail_unittest.ccD03-May-202453.1 KiB1,8731,405

libminijailpreload.cD03-May-20244.9 KiB15477

libsyscalls.hD03-May-2024421 1810

minijail0.1D03-May-202417.2 KiB401372

minijail0.5D03-May-20246.9 KiB193146

minijail0.cD03-May-20242.1 KiB8452

minijail0.shD03-May-2024309 102

minijail0_cli.cD03-May-202436.9 KiB1,2791,003

minijail0_cli.hD03-May-2024652 2915

minijail0_cli_unittest.ccD03-May-202417.7 KiB626372

navbar.mdD03-May-2024348 129

parse_seccomp_policy.ccD03-May-20242.8 KiB11186

platform2_preinstall.shD03-May-2024300 167

scoped_minijail.hD03-May-2024616 3318

setup.pyD03-May-20241.8 KiB5231

signal_handler.cD03-May-20241.6 KiB8355

signal_handler.hD03-May-2024319 154

syscall_filter.cD03-May-202423.7 KiB926645

syscall_filter.hD03-May-20241.9 KiB8762

syscall_filter_unittest.ccD03-May-202457.6 KiB2,0161,434

syscall_filter_unittest_macros.hD03-May-20243.6 KiB126101

syscall_wrapper.cD03-May-2024852 3521

syscall_wrapper.hD03-May-2024968 4528

system.cD03-May-202414.4 KiB568358

system.hD03-May-20241.8 KiB8145

system_unittest.ccD03-May-20248.6 KiB266162

test_util.ccD03-May-20241.2 KiB6145

test_util.hD03-May-20241.7 KiB7030

testrunner.ccD03-May-2024681 3317

unittest_util.hD03-May-20242.4 KiB10577

util.cD03-May-202415.5 KiB671473

util.hD03-May-202411.7 KiB399147

util_unittest.ccD03-May-202413.7 KiB445352

README.md

1# Minijail
2
3The Minijail homepage is
4https://google.github.io/minijail/.
5
6The main source repo is
7https://chromium.googlesource.com/chromiumos/platform/minijail.
8
9There might be other copies floating around, but this is the official one!
10
11[TOC]
12
13## What is it?
14
15Minijail is a sandboxing and containment tool used in ChromeOS and Android.
16It provides an executable that can be used to launch and sandbox other programs,
17and a library that can be used by code to sandbox itself.
18
19## Getting the code
20
21You're one `git clone` away from happiness.
22
23```
24$ git clone https://chromium.googlesource.com/chromiumos/platform/minijail
25$ cd minijail
26```
27
28Releases are tagged as `linux-vXX`:
29https://chromium.googlesource.com/chromiumos/platform/minijail/+refs
30
31## Building
32
33See the [HACKING.md](./HACKING.md) document for more details.
34
35## Release process
36
37See the [RELEASE.md](./RELEASE.md) document for more details.
38
39## Additional tools
40
41See the [tools/README.md](./tools/README.md) document for more details.
42
43## Contact
44
45We've got a couple of contact points.
46
47* [minijail@chromium.org]: Public user & developer mailing list.
48* [minijail-users@google.com]: Internal Google user mailing list.
49* [minijail-dev@google.com]: Internal Google developer mailing list.
50* [crbug.com/list]: Existing bug reports & feature requests.
51* [crbug.com/new]: File new bug reports & feature requests.
52* [Chromium Gerrit]: Code reviews.
53
54[minijail@chromium.org]: https://groups.google.com/a/chromium.org/forum/#!forum/minijail
55[minijail-users@google.com]: https://groups.google.com/a/google.com/forum/#!forum/minijail-users
56[minijail-dev@google.com]: https://groups.google.com/a/google.com/forum/#!forum/minijail-dev
57[crbug.com/list]: https://crbug.com/?q=component:OS>Systems>Minijail
58[crbug.com/new]: https://bugs.chromium.org/p/chromium/issues/entry?components=OS>Systems>Minijail
59[Chromium Gerrit]: https://chromium-review.googlesource.com/q/project:chromiumos/platform/minijail
60
61## Talks and presentations
62
63The following talk serves as a good introduction to Minijail and how it can be used.
64
65[Video](https://drive.google.com/file/d/0BwPS_JpKyELWZTFBcTVsa1hhYjA/preview),
66[slides](https://docs.google.com/presentation/d/e/2PACX-1vRBqpin5xR9sng6lIBPjG0XQtu-uWWgr0ds-M3zW13XpDO-bTcMERLwoHUEB9078p1yqr9L-su9n5dk/pub).
67
68## Example usage
69
70The ChromiumOS project has a comprehensive
71[sandboxing](https://chromium.googlesource.com/chromiumos/docs/+/master/sandboxing.md)
72document that is largely based on Minijail.
73
74After you play with the simple examples below, you should check that out.
75
76### Change root to any user
77
78```
79# id
80uid=0(root) gid=0(root) groups=0(root),128(pkcs11)
81# minijail0 -u jorgelo -g 5000 /usr/bin/id
82uid=72178(jorgelo) gid=5000(eng) groups=5000(eng)
83```
84
85### Drop root while keeping some capabilities
86
87```
88# minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status
89Name: cat
90...
91CapInh: 0000000000003000
92CapPrm: 0000000000003000
93CapEff: 0000000000003000
94CapBnd: 0000000000003000
95```
96
97## Historical notes
98
99Q. "Why is it called minijail0?"
100
101A. It is minijail0 because it was a rewrite of an earlier program named
102minijail, which was considerably less mini, and in particular had a dependency
103on libchrome (the ChromeOS packaged version of Chromium's //base).  We needed a
104new name to not collide with the deprecated one.
105
106We didn't want to call it minijail2 or something that would make people
107start using it before we were ready, and it was also concretely _less_ since it
108dropped libbase, etc.  Technically, we needed to be able to fork/preload with
109minimal extra syscall noise which was too hard with libbase at the time (onexit
110handlers, etc that called syscalls we didn't want to allow).  Also, Elly made a
111strong case that C would be the right choice for this for linking and ease of
112controlled surprise system call use.
113
114https://crrev.com/c/4585/ added the original implementation.
115
116Source: Conversations with original authors, ellyjones@ and wad@.
117