Google Git
Sign in
android / platform / external / minijail / e119bbb81cb42aaddef61882b3747cf7995465f7
commite119bbb81cb42aaddef61882b3747cf7995465f7[log] [tgz]
authorNicole Anderson-Au <[email protected]>Thu Feb 04 23:12:12 2021 +0000
committerNicole Anderson-Au <[email protected]>Fri Feb 05 16:05:34 2021 +0000
tree2bbf012b220b1b54930ba5e988d5df5884de620e
parent079c40afb00485a719a51afdfc2da56ecaba8b66 [diff]
minijail: Don't allow stricter remounting of specific dir

The intended use of the --mount-propagation flag is to allow enforcing
a more strict mount propagation with remount_mode over the filesystem
while allowing for specific mounts to be less strict. This change
ensures that users are doing this and not trying the use the feature
the other way around by making a specific directory more strict than
the general filesystem (which offers little actual security).

Bug: chromium:1102404
Test: make tests
tried to enter minijail with the commandline:
sudo ./minijail0 -v -Kshared --mount-propagation private:/proc /bin/bash
and ensured that it errored with the correct message

Change-Id: Ife992f7a0fed8080afa19499c10a6f688f77e90b
2 files changed
tree: 2bbf012b220b1b54930ba5e988d5df5884de620e
  1. .github/
  2. examples/
  3. linux-x86/
  4. rust/
  5. test/
  6. tools/
  7. .clang-format
  8. .gitignore
  9. Android.bp
  10. arch.h
  11. bpf.c
  12. bpf.h
  13. CleanSpec.mk
  14. common.mk
  15. CPPLINT.cfg
  16. dump_constants.cc
  17. elfparse.c
  18. elfparse.h
  19. gen_constants-inl.h
  20. gen_constants.c
  21. gen_constants.sh
  22. gen_syscalls-inl.h
  23. gen_syscalls.c
  24. gen_syscalls.sh
  25. get_googletest.sh
  26. HACKING.md
  27. libconstants.h
  28. libminijail-private.h
  29. libminijail.c
  30. libminijail.h
  31. libminijail.pc.in
  32. libminijail_unittest.cc
  33. libminijailpreload.c
  34. libsyscalls.h
  35. LICENSE
  36. Makefile
  37. METADATA
  38. minijail0.1
  39. minijail0.5
  40. minijail0.c
  41. minijail0.sh
  42. minijail0_cli.c
  43. minijail0_cli.h
  44. minijail0_cli_unittest.cc
  45. MODULE_LICENSE_BSD
  46. navbar.md
  47. NOTICE
  48. OWNERS
  49. OWNERS.rust
  50. parse_seccomp_policy.cc
  51. platform2_preinstall.sh
  52. PRESUBMIT.cfg
  53. PREUPLOAD.cfg
  54. README.md
  55. RELEASE.md
  56. scoped_minijail.h
  57. setup.py
  58. signal_handler.c
  59. signal_handler.h
  60. syscall_filter.c
  61. syscall_filter.h
  62. syscall_filter_unittest.cc
  63. syscall_filter_unittest_macros.h
  64. syscall_wrapper.c
  65. syscall_wrapper.h
  66. system.c
  67. system.h
  68. system_unittest.cc
  69. TEST_MAPPING
  70. testrunner.cc
  71. util.c
  72. util.h
  73. util_unittest.cc
README.md

Minijail

The Minijail homepage is https://google.github.io/minijail/.

The main source repo is https://android.googlesource.com/platform/external/minijail/.

There might be other copies floating around, but this is the official one!

What is it?

Minijail is a sandboxing and containment tool used in Chrome OS and Android. It provides an executable that can be used to launch and sandbox other programs, and a library that can be used by code to sandbox itself.

Getting the code

You're one git clone away from happiness.

$ git clone https://android.googlesource.com/platform/external/minijail
$ cd minijail

Releases are tagged as linux-vXX: https://android.googlesource.com/platform/external/minijail/+refs

Building

See the HACKING.md document for more details.

Release process

See the RELEASE.md document for more details.

Additional tools

See the tools/README.md document for more details.

Contact

We've got a couple of contact points.

Talks and presentations

The following talk serves as a good introduction to Minijail and how it can be used.

Video, slides.

Example usage

The Chromium OS project has a comprehensive sandboxing document that is largely based on Minijail.

After you play with the simple examples below, you should check that out.

Change root to any user

# id
uid=0(root) gid=0(root) groups=0(root),128(pkcs11)
# minijail0 -u jorgelo -g 5000 /usr/bin/id
uid=72178(jorgelo) gid=5000(eng) groups=5000(eng)

Drop root while keeping some capabilities

# minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status
Name: cat
...
CapInh: 0000000000003000
CapPrm: 0000000000003000
CapEff: 0000000000003000
CapBnd: 0000000000003000