Google Git
Sign in
android / platform / external / minijail / 66bcc8ce8d2597e7849ef6aa164b9807a32d95f7
commit66bcc8ce8d2597e7849ef6aa164b9807a32d95f7[log] [tgz]
authorStéphane Lesimple <[email protected]>Thu Jan 06 13:11:37 2022 +0100
committerTreehugger Robot <[email protected]>Mon Jan 10 21:28:56 2022 +0000
tree0317a0779f228f4dae4e5ddea01540214708bf5f
parent44461c76e3ac7e4477b9ea904d822dbb24dff712 [diff]
libminijailpreload: proper env cleaning

We add two utility functions in util.c:
- minijail_unsetenv, which removes a var from a given envp array
- minijail_getenv, which returns a var value from a given envp array
  (same as getenv but working on an arbitrary array)

And a static utility function in util.c:
- getenv_index, which returns the index number of a passed variable
  name, or the size of the passed array if not found
  It's used by the above two utility functions, and has also been
  integrated to minijail_setenv

And use them in libminijailpreload.c to:
- properly remove the minijail-injected .so in LD_PRELOAD, without
  completely trashing any preexisting LD_PRELOAD, as was done before
  in the code. A static func truncate_preload_env() only existing in
  libminijailpreload.c is tasked to do this, and
- properly remove the __MINIJAIL_FD (kFdEnvVar) internal variable from
  the child environment before spawning it. Before, this was done by
  zeroing the proper envp entry, which is flagged as being an invalid
  environment by some programs, such as the MongoDB official client:

Without minijail:
$ /tmp/m/bin/mongo --help >/dev/null; echo $?
0

$ env -i ./minijail0 /tmp/m/bin/mongo --help >/dev/null; echo $?
Failed global initialization: BadValue malformed environment block
libminijail[4045108]: child process 4045109 exited with status 1
1

With minijail, with this patch:
$ env -i ./minijail0 /tmp/m/bin/mongo --help >/dev/null; echo $?
0

This can also be seen using `env`:

Without minijail:
$ env -i /usr/bin/env | xxd
$

With minijail, before this patch:
$ env -i ./minijail0 /usr/bin/env | xxd
00000000: 0a0a                                     ..
$

With minijail, with this patch:
$ env -i ./minijail0 /usr/bin/env | xxd
$

Change-Id: I79739a4c6f527c49a31ce31aaa9085fa574a25ee
4 files changed
tree: 0317a0779f228f4dae4e5ddea01540214708bf5f
  1. .github/
  2. examples/
  3. linux-x86/
  4. rust/
  5. test/
  6. tools/
  7. .clang-format
  8. .gitignore
  9. Android.bp
  10. arch.h
  11. bpf.c
  12. bpf.h
  13. CleanSpec.mk
  14. common.mk
  15. config_parser.c
  16. config_parser.h
  17. config_parser_unittest.cc
  18. CPPLINT.cfg
  19. DIR_METADATA
  20. dump_constants.cc
  21. elfparse.c
  22. elfparse.h
  23. gen_constants-inl.h
  24. gen_constants.c
  25. gen_constants.sh
  26. gen_syscalls-inl.h
  27. gen_syscalls.c
  28. gen_syscalls.sh
  29. get_googletest.sh
  30. HACKING.md
  31. libconstants.h
  32. libminijail-private.h
  33. libminijail.c
  34. libminijail.h
  35. libminijail.pc.in
  36. libminijail_unittest.cc
  37. libminijailpreload.c
  38. libsyscalls.h
  39. LICENSE
  40. Makefile
  41. METADATA
  42. minijail0.1
  43. minijail0.5
  44. minijail0.c
  45. minijail0.sh
  46. minijail0_cli.c
  47. minijail0_cli.h
  48. minijail0_cli_unittest.cc
  49. MODULE_LICENSE_BSD
  50. navbar.md
  51. NOTICE
  52. OWNERS
  53. parse_seccomp_policy.cc
  54. platform2_preinstall.sh
  55. PRESUBMIT.cfg
  56. PREUPLOAD.cfg
  57. README.md
  58. RELEASE.md
  59. scoped_minijail.h
  60. setup.py
  61. signal_handler.c
  62. signal_handler.h
  63. syscall_filter.c
  64. syscall_filter.h
  65. syscall_filter_unittest.cc
  66. syscall_filter_unittest_macros.h
  67. syscall_wrapper.c
  68. syscall_wrapper.h
  69. system.c
  70. system.h
  71. system_unittest.cc
  72. TEST_MAPPING
  73. test_util.cc
  74. test_util.h
  75. testrunner.cc
  76. util.c
  77. util.h
  78. util_unittest.cc
README.md

Minijail

The Minijail homepage is https://google.github.io/minijail/.

The main source repo is https://android.googlesource.com/platform/external/minijail/.

There might be other copies floating around, but this is the official one!

What is it?

Minijail is a sandboxing and containment tool used in Chrome OS and Android. It provides an executable that can be used to launch and sandbox other programs, and a library that can be used by code to sandbox itself.

Getting the code

You're one git clone away from happiness.

$ git clone https://android.googlesource.com/platform/external/minijail
$ cd minijail

Releases are tagged as linux-vXX: https://android.googlesource.com/platform/external/minijail/+refs

Building

See the HACKING.md document for more details.

Release process

See the RELEASE.md document for more details.

Additional tools

See the tools/README.md document for more details.

Contact

We've got a couple of contact points.

Talks and presentations

The following talk serves as a good introduction to Minijail and how it can be used.

Video, slides.

Example usage

The Chromium OS project has a comprehensive sandboxing document that is largely based on Minijail.

After you play with the simple examples below, you should check that out.

Change root to any user

# id
uid=0(root) gid=0(root) groups=0(root),128(pkcs11)
# minijail0 -u jorgelo -g 5000 /usr/bin/id
uid=72178(jorgelo) gid=5000(eng) groups=5000(eng)

Drop root while keeping some capabilities

# minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status
Name: cat
...
CapInh: 0000000000003000
CapPrm: 0000000000003000
CapEff: 0000000000003000
CapBnd: 0000000000003000

Historical notes

Q. “Why is it called minijail0?”

A. It is minijail0 because it was a rewrite of an earlier program named minijail, which was considerably less mini, and in particular had a dependency on libchrome (the Chrome OS packaged version of Chromium's //base). We needed a new name to not collide with the deprecated one.

We didn‘t want to call it minijail2 or something that would make people start using it before we were ready, and it was also concretely less since it dropped libbase, etc. Technically, we needed to be able to fork/preload with minimal extra syscall noise which was too hard with libbase at the time (onexit handlers, etc that called syscalls we didn’t want to allow). Also, Elly made a strong case that C would be the right choice for this for linking and ease of controlled surprise system call use.

https://crrev.com/c/4585/ added the original implementation.

Source: Conversations with original authors, ellyjones@ and wad@.

How to manually upgrade Minijail on Chrome OS

Minijail is manually upgraded on Chrome OS so that there is a way to test changes in the Chrome OS commit queue. Committed changes have already passed Android's presubmit checks, but the ebuild upgrade CL goes through the Chrome OS commit queue and must pass the tests before any additional changes are available for use on Chrome OS. To upgrade minijail on Chrome OS, complete the following steps.

# Sync Minijail repo
cd ~/chromiumos/src/aosp/external/minijail
git checkout m/main
repo sync .

# Set up local branch.
cd ~/trunk/src/third_party/chromiumos-overlay/
repo start minijail .  # replace minijail with the local branch name you want.

# Run upgrade script.
~/trunk/chromite/scripts/cros_uprev --force --overlay-type public \
  --packages chromeos-base/minijail:dev-rust/minijail-sys:dev-rust/minijail

At this point the Minijail-related packages should be upgraded, so you may want to add the changes to a commit and do some local testing before uploading a change list. Here are the recommended local tests to try (make sure you are not working on the minijail packages first i.e. cros_workon list-all):

# Check build.
./build_packages --board=${BOARD}

# Check unit tests.
FEATURES=test emerge-${BOARD} chromeos-base/minijail dev-rust/minijail-sys \
  dev-rust/minijail

# Check integration tests.
cros deploy <DUT> chromeos-base/minijail
tast run <DUT> security.Minijail security.MinijailSeccomp

Finally, when uploading the CL make sure to include the list of changes since the last uprev. The command to generate the list is as follows:

git log --oneline --no-merges <previous hash in ebuild file>..HEAD