Google Git
Sign in
chromium / chromiumos / platform / minijail / refs/tags/linux-v16
tagcbe67092581f95260df758ecc0d5d4d6d1afc0b5
taggerJorge Lucangeli Obes <jorgelo@google.com>Mon Jul 06 17:26:54 2020
objectafb7a139a6090944f10b4c4a1d71da21af6f4bcb 
Minijail v16.

New in this release:
* Provide idiomatic Rust wrappers for Minijail (allenwebb@google.com).
commitafb7a139a6090944f10b4c4a1d71da21af6f4bcb[log] [tgz]
authorAllen Webb <allenwebb@google.com>Mon Jun 22 15:47:48 2020
committerAllen Webb <allenwebb@google.com>Mon Jun 22 15:56:13 2020
tree2abc5d67948c10abd34e524a1168aa0c749924dd
parent96dd14e0abd27f2aaac1dc5b8ff40f17e79605f0 [diff]
rust/minijail: Make sure spawned jobs termininate during unit tests.

BUG=chromium:1096175,chromium:1097761
TEST=FEATURES=test emerge-${BOARD} dev-rust/minijail

Change-Id: I4ab231e616975031892b2211a78e41b8c99bfcde
1 file changed
tree: 2abc5d67948c10abd34e524a1168aa0c749924dd
  1. .github/
  2. examples/
  3. linux-x86/
  4. rust/
  5. test/
  6. tools/
  7. .clang-format
  8. .gitignore
  9. Android.bp
  10. arch.h
  11. bpf.c
  12. bpf.h
  13. CleanSpec.mk
  14. common.mk
  15. CPPLINT.cfg
  16. dump_constants.cc
  17. elfparse.c
  18. elfparse.h
  19. gen_constants-inl.h
  20. gen_constants.c
  21. gen_constants.sh
  22. gen_syscalls.c
  23. gen_syscalls.sh
  24. get_googletest.sh
  25. HACKING.md
  26. libconstants.h
  27. libminijail-private.h
  28. libminijail.c
  29. libminijail.h
  30. libminijail.pc.in
  31. libminijail_unittest.cc
  32. libminijailpreload.c
  33. libsyscalls.h
  34. LICENSE
  35. Makefile
  36. METADATA
  37. minijail0.1
  38. minijail0.5
  39. minijail0.c
  40. minijail0_cli.c
  41. minijail0_cli.h
  42. minijail0_cli_unittest.cc
  43. MODULE_LICENSE_BSD
  44. navbar.md
  45. NOTICE
  46. OWNERS
  47. OWNERS.rust
  48. parse_seccomp_policy.cc
  49. platform2_preinstall.sh
  50. PRESUBMIT.cfg
  51. PREUPLOAD.cfg
  52. README.md
  53. RELEASE.md
  54. scoped_minijail.h
  55. setup.py
  56. signal_handler.c
  57. signal_handler.h
  58. syscall_filter.c
  59. syscall_filter.h
  60. syscall_filter_unittest.cc
  61. syscall_filter_unittest_macros.h
  62. syscall_wrapper.c
  63. syscall_wrapper.h
  64. system.c
  65. system.h
  66. system_unittest.cc
  67. TEST_MAPPING
  68. testrunner.cc
  69. util.c
  70. util.h
  71. util_unittest.cc
README.md

Minijail

The Minijail homepage and main repo is https://android.googlesource.com/platform/external/minijail/.

There might be other copies floating around, but this is the official one!

What is it?

Minijail is a sandboxing and containment tool used in Chrome OS and Android. It provides an executable that can be used to launch and sandbox other programs, and a library that can be used by code to sandbox itself.

Getting the code

You're one git clone away from happiness.

$ git clone https://android.googlesource.com/platform/external/minijail
$ cd minijail

Releases are tagged as linux-vXX: https://android.googlesource.com/platform/external/minijail/+refs

Building

See the HACKING.md document for more details.

Release process

See the RELEASE.md document for more details.

Additional tools

See the tools/README.md document for more details.

Contact

We've got a couple of contact points.

Talks and presentations

The following talk serves as a good introduction to Minijail and how it can be used.

Video, slides.

Example usage

The Chromium OS project has a comprehensive sandboxing document that is largely based on Minijail.

After you play with the simple examples below, you should check that out.

Change root to any user

# id
uid=0(root) gid=0(root) groups=0(root),128(pkcs11)
# minijail0 -u jorgelo -g 5000 /usr/bin/id
uid=72178(jorgelo) gid=5000(eng) groups=5000(eng)

Drop root while keeping some capabilities

# minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status
Name: cat
...
CapInh: 0000000000003000
CapPrm: 0000000000003000
CapEff: 0000000000003000
CapBnd: 0000000000003000