Google Git
Sign in
android / platform / external / minijail / c90ec15cabe51bcd37767e81d264a8ef7e322b9b
commitc90ec15cabe51bcd37767e81d264a8ef7e322b9b[log] [tgz]
authorLuis Hector Chavez <[email protected]>Fri Dec 13 09:12:33 2019 -0800
committerLuis Hector Chavez <[email protected]>Mon Dec 16 10:42:35 2019 -0800
tree2f9dbc73e9f4ed58aa7e1c51334f5680913e62ed
parentf6f2625faebf784b9d335a58a7b71c8f33686d2c [diff]
Add a way to compile .policy files at build-time

This change adds enough Android.bp rules and tools to make it possible
to compile .policy files at build-time, using the new optimizing
compiler.

This is achieved by compiling the libconstants.gen.c and
libsyscalls.gen.c into LLVM IR files (which are roughly
architecture-neutral for our purposes). These IR files are then parsed
by the `tools/generate_constants_json.py` script and produces an
architecture-specific `constants.json` file, which can be fed into
`tools/compile_seccomp_policy.py` to compile .policy files.

The last piece of the puzzle is to actually invoke the script. This
needs to be done from a cc_genrule due to the way that soong handles
target variations, and will produce artifacts that are
architecture-specific. One example to invoke the script is as follows:

    cc_genrule {
        name: "bpf_compilation",
        host_supported: true,
        vendor_available: true,
        recovery_available: true,
        tools: ["minijail_compile_seccomp_policy"],
        cmd: "$(location minijail_compile_seccomp_policy) --arch-json $(in) $(out)",
        srcs: [":minijail_constants_json", "my_seccomp.policy"],
        out: ["my_seccomp.bpf"],
    }

Bug: None
Test: mmma -j external/minijail
Test: make all
Change-Id: I835ee18c3ff515a6f3203ed86d20ad41d4f5d066
4 files changed
tree: 2f9dbc73e9f4ed58aa7e1c51334f5680913e62ed
  1. examples/
  2. linux-x86/
  3. test/
  4. tools/
  5. .clang-format
  6. .gitignore
  7. Android.bp
  8. arch.h
  9. bpf.c
  10. bpf.h
  11. build.rs
  12. Cargo.toml
  13. CleanSpec.mk
  14. common.mk
  15. CPPLINT.cfg
  16. dump_constants.cc
  17. elfparse.c
  18. elfparse.h
  19. gen_constants-inl.h
  20. gen_constants.c
  21. gen_constants.sh
  22. gen_syscalls.c
  23. gen_syscalls.sh
  24. get_googletest.sh
  25. HACKING.md
  26. lib.rs
  27. libconstants.h
  28. libminijail-private.h
  29. libminijail.c
  30. libminijail.h
  31. libminijail.pc.in
  32. libminijail.rs
  33. libminijail_unittest.cc
  34. libminijailpreload.c
  35. libsyscalls.h
  36. LICENSE
  37. Makefile
  38. minijail0.1
  39. minijail0.5
  40. minijail0.c
  41. minijail0_cli.c
  42. minijail0_cli.h
  43. minijail0_cli_unittest.cc
  44. MODULE_LICENSE_BSD
  45. navbar.md
  46. NOTICE
  47. OWNERS
  48. OWNERS.rust
  49. parse_seccomp_policy.cc
  50. platform2_preinstall.sh
  51. PRESUBMIT.cfg
  52. PREUPLOAD.cfg
  53. README.md
  54. RELEASE.md
  55. scoped_minijail.h
  56. signal_handler.c
  57. signal_handler.h
  58. syscall_filter.c
  59. syscall_filter.h
  60. syscall_filter_unittest.cc
  61. syscall_filter_unittest_macros.h
  62. syscall_wrapper.c
  63. syscall_wrapper.h
  64. system.c
  65. system.h
  66. system_unittest.cc
  67. TEST_MAPPING
  68. testrunner.cc
  69. util.c
  70. util.h
  71. util_unittest.cc
README.md

Minijail

The Minijail homepage and main repo is https://android.googlesource.com/platform/external/minijail/.

There might be other copies floating around, but this is the official one!

What is it?

Minijail is a sandboxing and containment tool used in Chrome OS and Android. It provides an executable that can be used to launch and sandbox other programs, and a library that can be used by code to sandbox itself.

Getting the code

You're one git clone away from happiness.

$ git clone https://android.googlesource.com/platform/external/minijail
$ cd minijail

Releases are tagged as linux-vXX: https://android.googlesource.com/platform/external/minijail/+refs

Building

See the HACKING.md document for more details.

Release process

See the RELEASE.md document for more details.

Additional tools

See the tools/README.md document for more details.

Contact

We've got a couple of contact points.

Talks and presentations

The following talk serves as a good introduction to Minijail and how it can be used.

Video, slides.

Example usage

The Chromium OS project has a comprehensive sandboxing document that is largely based on Minijail.

After you play with the simple examples below, you should check that out.

Change root to any user

# id
uid=0(root) gid=0(root) groups=0(root),128(pkcs11)
# minijail0 -u jorgelo -g 5000 /usr/bin/id
uid=72178(jorgelo) gid=5000(eng) groups=5000(eng)

Drop root while keeping some capabilities

# minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status
Name: cat
...
CapInh: 0000000000003000
CapPrm: 0000000000003000
CapEff: 0000000000003000
CapBnd: 0000000000003000