commit | 238e67afe3e1f7a6c3de2d5531a5ec2844eb7083 | [log] [tgz] |
---|---|---|
author | Ben Scarlato <akhna@google.com> | Thu Apr 27 19:25:00 2023 |
committer | Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com> | Fri Apr 28 17:32:42 2023 |
tree | 85b181ce0de688ba42a637a00d917f73387d2e8e | |
parent | b631ad7060eb3d781caa47e2d7ef098d249b60c5 [diff] |
minijail: remove LANDLOCK_ACCESS_FS_REFER logs These can be removed now, because LANDLOCK_ACCESS_FS_REFER is now backported to all chromeOS kernels that support Landlock. BUG=b:271154170 TEST=security.Minijail* Change-Id: I74d2b2253375b432eef941bdb562030cafa148ba Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/minijail/+/4481606 Auto-Submit: Ben Scarlato <akhna@google.com> Tested-by: Ben Scarlato <akhna@google.com> Reviewed-by: Allen Webb <allenwebb@google.com> Commit-Queue: Ben Scarlato <akhna@google.com>
The Minijail homepage is https://google.github.io/minijail/.
The main source repo is https://chromium.googlesource.com/chromiumos/platform/minijail.
There might be other copies floating around, but this is the official one!
Minijail is a sandboxing and containment tool used in ChromeOS and Android. It provides an executable that can be used to launch and sandbox other programs, and a library that can be used by code to sandbox itself.
You're one git clone
away from happiness.
$ git clone https://chromium.googlesource.com/chromiumos/platform/minijail $ cd minijail
Releases are tagged as linux-vXX
: https://chromium.googlesource.com/chromiumos/platform/minijail/+refs
See the HACKING.md document for more details.
See the RELEASE.md document for more details.
See the tools/README.md document for more details.
We've got a couple of contact points.
The following talk serves as a good introduction to Minijail and how it can be used.
The ChromiumOS project has a comprehensive sandboxing document that is largely based on Minijail.
After you play with the simple examples below, you should check that out.
# id uid=0(root) gid=0(root) groups=0(root),128(pkcs11) # minijail0 -u jorgelo -g 5000 /usr/bin/id uid=72178(jorgelo) gid=5000(eng) groups=5000(eng)
# minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status Name: cat ... CapInh: 0000000000003000 CapPrm: 0000000000003000 CapEff: 0000000000003000 CapBnd: 0000000000003000
Q. “Why is it called minijail0?”
A. It is minijail0 because it was a rewrite of an earlier program named minijail, which was considerably less mini, and in particular had a dependency on libchrome (the ChromeOS packaged version of Chromium's //base). We needed a new name to not collide with the deprecated one.
We didn‘t want to call it minijail2 or something that would make people start using it before we were ready, and it was also concretely less since it dropped libbase, etc. Technically, we needed to be able to fork/preload with minimal extra syscall noise which was too hard with libbase at the time (onexit handlers, etc that called syscalls we didn’t want to allow). Also, Elly made a strong case that C would be the right choice for this for linking and ease of controlled surprise system call use.
https://crrev.com/c/4585/ added the original implementation.
Source: Conversations with original authors, ellyjones@ and wad@.