Google Git
Sign in
android / platform / external / minijail / a12687bc602fe52f75c5a61b6d49f18bba909787
commita12687bc602fe52f75c5a61b6d49f18bba909787[log] [tgz]
authorMatt Delco <[email protected]>Fri Feb 07 17:12:47 2020 -0800
committerTreehugger Robot <[email protected]>Wed Feb 12 15:59:49 2020 +0000
tree7f5f73eff5fe1e21acb23c11efe67a6f4b9c84db
parent6123e5aea63e669b9df73f7fa287e27ad28db426 [diff]
add support for python installer

The best I could come up with for allowing compile_seccomp_policy
to be an executable script installed via setup.py.

Originally I cooked up a trick where setup.py also had:

data_files=[('minijail', ['constants.json'])],

and compile_seccomp_policy.py used:

constants_file = 'constants.json'
if pkg_resources.resource_exists(__name__, constants_file):
    constants_file = pkg_resources.resource_filename(__name__, constants_file)

so that a package can ship with a constants.json and auotmatically use
it.  This works when installed as a 'dist-package' egg, but CrOS installs
as a 'site-package' where this trick don't work (constants.json ends up in
another location under /usr, not to mention being stored with a board) and it
complicates the dependency story for the Makefile so I punted.

For both 'dist-package' and 'site-package' the plain "import XXX" form doesn't work
for files located in the same directory (results in a ModuleNotFoundError error),
so I've added a "from minijail import XXX" fallback so new & original cases both
work okay.

Bug: None
Test: `make tests`.  Ran 'python3 setup.py install --record files.txt'
and verified the stubs in /usr/local/bin could be used to launch the 3
scripts without import errors.

Change-Id: I61fe0b624960c89fd715c1c60213edc2b736ad1c
7 files changed
tree: 7f5f73eff5fe1e21acb23c11efe67a6f4b9c84db
  1. .github/
  2. examples/
  3. linux-x86/
  4. test/
  5. tools/
  6. .clang-format
  7. .gitignore
  8. Android.bp
  9. arch.h
  10. bpf.c
  11. bpf.h
  12. build.rs
  13. Cargo.toml
  14. CleanSpec.mk
  15. common.mk
  16. CPPLINT.cfg
  17. dump_constants.cc
  18. elfparse.c
  19. elfparse.h
  20. gen_constants-inl.h
  21. gen_constants.c
  22. gen_constants.sh
  23. gen_syscalls.c
  24. gen_syscalls.sh
  25. get_googletest.sh
  26. HACKING.md
  27. lib.rs
  28. libconstants.h
  29. libminijail-private.h
  30. libminijail.c
  31. libminijail.h
  32. libminijail.pc.in
  33. libminijail.rs
  34. libminijail_unittest.cc
  35. libminijailpreload.c
  36. libsyscalls.h
  37. LICENSE
  38. Makefile
  39. minijail0.1
  40. minijail0.5
  41. minijail0.c
  42. minijail0_cli.c
  43. minijail0_cli.h
  44. minijail0_cli_unittest.cc
  45. MODULE_LICENSE_BSD
  46. navbar.md
  47. NOTICE
  48. OWNERS
  49. OWNERS.rust
  50. parse_seccomp_policy.cc
  51. platform2_preinstall.sh
  52. PRESUBMIT.cfg
  53. PREUPLOAD.cfg
  54. README.md
  55. RELEASE.md
  56. scoped_minijail.h
  57. setup.py
  58. signal_handler.c
  59. signal_handler.h
  60. syscall_filter.c
  61. syscall_filter.h
  62. syscall_filter_unittest.cc
  63. syscall_filter_unittest_macros.h
  64. syscall_wrapper.c
  65. syscall_wrapper.h
  66. system.c
  67. system.h
  68. system_unittest.cc
  69. TEST_MAPPING
  70. testrunner.cc
  71. util.c
  72. util.h
  73. util_unittest.cc
README.md

Minijail

The Minijail homepage and main repo is https://android.googlesource.com/platform/external/minijail/.

There might be other copies floating around, but this is the official one!

What is it?

Minijail is a sandboxing and containment tool used in Chrome OS and Android. It provides an executable that can be used to launch and sandbox other programs, and a library that can be used by code to sandbox itself.

Getting the code

You're one git clone away from happiness.

$ git clone https://android.googlesource.com/platform/external/minijail
$ cd minijail

Releases are tagged as linux-vXX: https://android.googlesource.com/platform/external/minijail/+refs

Building

See the HACKING.md document for more details.

Release process

See the RELEASE.md document for more details.

Additional tools

See the tools/README.md document for more details.

Contact

We've got a couple of contact points.

Talks and presentations

The following talk serves as a good introduction to Minijail and how it can be used.

Video, slides.

Example usage

The Chromium OS project has a comprehensive sandboxing document that is largely based on Minijail.

After you play with the simple examples below, you should check that out.

Change root to any user

# id
uid=0(root) gid=0(root) groups=0(root),128(pkcs11)
# minijail0 -u jorgelo -g 5000 /usr/bin/id
uid=72178(jorgelo) gid=5000(eng) groups=5000(eng)

Drop root while keeping some capabilities

# minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status
Name: cat
...
CapInh: 0000000000003000
CapPrm: 0000000000003000
CapEff: 0000000000003000
CapBnd: 0000000000003000