Google Git
Sign in
android / platform / external / minijail / bcc8cfd29efa4bce53e539a4f3fe55e49be70eab
commitbcc8cfd29efa4bce53e539a4f3fe55e49be70eab[log] [tgz]
authorNicole Anderson-Au <[email protected]>Tue Nov 10 20:33:27 2020 +0000
committerTreehugger Robot <[email protected]>Wed Nov 11 13:24:48 2020 +0000
tree8fc8e009012cb5582a620940e774efa79f6cc653
parentd23ad7927113a86d4b023e18660aabe9697c4a71 [diff]
minijail: Check for repeat syscall definitions

Add an option that allows for checking for duplicate syscall
definitions.
Add as a compile-time option and filter_option. If this option is on:
Maintain a data structure throughout seccomp policy syscall filter
parsing that keeps track of syscalls that have already been encountered
and where they were defined. Use this structure to tell when there are
duplicate syscall policy definitions and warn the user.

Write a unit test that checks that compile_file will return -1 if there
is a repeat syscall policy definition. Also change existing tests to
reflect this behavior.

Bug: None
TEST=built and ran unit tests

Change-Id: I3f5da9f926006dc7498d4a6510dda5aa5aedd1a3
9 files changed
tree: 8fc8e009012cb5582a620940e774efa79f6cc653
  1. .github/
  2. examples/
  3. linux-x86/
  4. rust/
  5. test/
  6. tools/
  7. .clang-format
  8. .gitignore
  9. Android.bp
  10. arch.h
  11. bpf.c
  12. bpf.h
  13. CleanSpec.mk
  14. common.mk
  15. CPPLINT.cfg
  16. dump_constants.cc
  17. elfparse.c
  18. elfparse.h
  19. gen_constants-inl.h
  20. gen_constants.c
  21. gen_constants.sh
  22. gen_syscalls-inl.h
  23. gen_syscalls.c
  24. gen_syscalls.sh
  25. get_googletest.sh
  26. HACKING.md
  27. libconstants.h
  28. libminijail-private.h
  29. libminijail.c
  30. libminijail.h
  31. libminijail.pc.in
  32. libminijail_unittest.cc
  33. libminijailpreload.c
  34. libsyscalls.h
  35. LICENSE
  36. Makefile
  37. METADATA
  38. minijail0.1
  39. minijail0.5
  40. minijail0.c
  41. minijail0.sh
  42. minijail0_cli.c
  43. minijail0_cli.h
  44. minijail0_cli_unittest.cc
  45. MODULE_LICENSE_BSD
  46. navbar.md
  47. NOTICE
  48. OWNERS
  49. OWNERS.rust
  50. parse_seccomp_policy.cc
  51. platform2_preinstall.sh
  52. PRESUBMIT.cfg
  53. PREUPLOAD.cfg
  54. README.md
  55. RELEASE.md
  56. scoped_minijail.h
  57. setup.py
  58. signal_handler.c
  59. signal_handler.h
  60. syscall_filter.c
  61. syscall_filter.h
  62. syscall_filter_unittest.cc
  63. syscall_filter_unittest_macros.h
  64. syscall_wrapper.c
  65. syscall_wrapper.h
  66. system.c
  67. system.h
  68. system_unittest.cc
  69. TEST_MAPPING
  70. testrunner.cc
  71. util.c
  72. util.h
  73. util_unittest.cc
README.md

Minijail

The Minijail homepage is https://google.github.io/minijail/.

The main source repo is https://android.googlesource.com/platform/external/minijail/.

There might be other copies floating around, but this is the official one!

What is it?

Minijail is a sandboxing and containment tool used in Chrome OS and Android. It provides an executable that can be used to launch and sandbox other programs, and a library that can be used by code to sandbox itself.

Getting the code

You're one git clone away from happiness.

$ git clone https://android.googlesource.com/platform/external/minijail
$ cd minijail

Releases are tagged as linux-vXX: https://android.googlesource.com/platform/external/minijail/+refs

Building

See the HACKING.md document for more details.

Release process

See the RELEASE.md document for more details.

Additional tools

See the tools/README.md document for more details.

Contact

We've got a couple of contact points.

Talks and presentations

The following talk serves as a good introduction to Minijail and how it can be used.

Video, slides.

Example usage

The Chromium OS project has a comprehensive sandboxing document that is largely based on Minijail.

After you play with the simple examples below, you should check that out.

Change root to any user

# id
uid=0(root) gid=0(root) groups=0(root),128(pkcs11)
# minijail0 -u jorgelo -g 5000 /usr/bin/id
uid=72178(jorgelo) gid=5000(eng) groups=5000(eng)

Drop root while keeping some capabilities

# minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status
Name: cat
...
CapInh: 0000000000003000
CapPrm: 0000000000003000
CapEff: 0000000000003000
CapBnd: 0000000000003000