Google Git
Sign in
android / platform / external / minijail / e1a868923c2daf9a7ed3b9300f5e18ca295bf0e8
commite1a868923c2daf9a7ed3b9300f5e18ca295bf0e8[log] [tgz]
authorJorge Lucangeli Obes <[email protected]>Mon Jun 10 16:17:03 2019 -0400
committerTreehugger Robot <[email protected]>Tue Jun 18 19:14:15 2019 +0000
tree552698063e77964bec2db6785a1d2fb4f6a82658
parent87ec5cddd130ebedcf8992261f1127b1efe6d952 [diff]
Add scaffolding to support SECCOMP_RET_LOG.

This CL adds some scaffolding to support SECCOMP_RET_LOG.
It replaces individual logging options in syscall_filter.h with a
filter options struct.

Going forward, we'll have the following combinations:
* If tsync is not requested and logging is not requested,
kill with SECCOMP_RET_KILL.
* If tsync is requested and logging is not requested,
kill with SECCOMP_RET_TRAP.
* If logging is requested and SECCOMP_RET_LOG is not available,
use existing logging mechanism (which implies blocking with RET_TRAP).
* If logging is requested and SECCOMP_RET_LOG is available,
use SECCOMP_RET_LOG.

Feature detection is done by reading
$ cat /proc/sys/kernel/seccomp/actions_avail
kill_process kill_thread trap errno trace log allow

Note that there is a slight change: before, while we didn't officially
support -L in production settings, it wasn't completely unsafe to do
so. SECCOMP_RET_LOG, on the other hand, is completely unsafe so it
should be properly compile-time restricted to debug builds.

The next CL will implement the above. A follow up CL after the next one
will introduce SECCOMP_RET_KILL_PROCESS.

Bug: chromium:934859
Test: Existing unit tests.

Change-Id: I83c1c0adbc983f2be39003d55b0314761e8de657
6 files changed
tree: 552698063e77964bec2db6785a1d2fb4f6a82658
  1. examples/
  2. linux-x86/
  3. test/
  4. tools/
  5. .clang-format
  6. .gitignore
  7. Android.bp
  8. arch.h
  9. bpf.c
  10. bpf.h
  11. CleanSpec.mk
  12. common.mk
  13. CPPLINT.cfg
  14. dump_constants.cc
  15. elfparse.c
  16. elfparse.h
  17. gen_constants-inl.h
  18. gen_constants.c
  19. gen_constants.sh
  20. gen_syscalls.c
  21. gen_syscalls.sh
  22. get_googletest.sh
  23. HACKING.md
  24. libconstants.h
  25. libminijail-private.h
  26. libminijail.c
  27. libminijail.h
  28. libminijail.pc.in
  29. libminijail_unittest.cc
  30. libminijailpreload.c
  31. libsyscalls.h
  32. LICENSE
  33. Makefile
  34. minijail0.1
  35. minijail0.5
  36. minijail0.c
  37. minijail0_cli.c
  38. minijail0_cli.h
  39. minijail0_cli_unittest.cc
  40. MODULE_LICENSE_BSD
  41. navbar.md
  42. NOTICE
  43. OWNERS
  44. parse_seccomp_policy.cc
  45. platform2_preinstall.sh
  46. PRESUBMIT.cfg
  47. PREUPLOAD.cfg
  48. README.md
  49. RELEASE.md
  50. scoped_minijail.h
  51. signal_handler.c
  52. signal_handler.h
  53. syscall_filter.c
  54. syscall_filter.h
  55. syscall_filter_unittest.cc
  56. syscall_filter_unittest_macros.h
  57. syscall_wrapper.c
  58. syscall_wrapper.h
  59. system.c
  60. system.h
  61. system_unittest.cc
  62. testrunner.cc
  63. util.c
  64. util.h
  65. util_unittest.cc
README.md

Minijail

The Minijail homepage and main repo is https://android.googlesource.com/platform/external/minijail/.

There might be other copies floating around, but this is the official one!

What is it?

Minijail is a sandboxing and containment tool used in Chrome OS and Android. It provides an executable that can be used to launch and sandbox other programs, and a library that can be used by code to sandbox itself.

Getting the code

You're one git clone away from happiness.

$ git clone https://android.googlesource.com/platform/external/minijail
$ cd minijail

Releases are tagged as linux-vXX: https://android.googlesource.com/platform/external/minijail/+refs

Building

See the HACKING.md document for more details.

Release process

See the RELEASE.md document for more details.

Contact

We've got a couple of contact points.

Talks and presentations

The following talk serves as a good introduction to Minijail and how it can be used.

Video, slides.

Example usage

The Chromium OS project has a comprehensive sandboxing document that is largely based on Minijail.

After you play with the simple examples below, you should check that out.

Change root to any user

# id
uid=0(root) gid=0(root) groups=0(root),128(pkcs11)
# minijail0 -u jorgelo -g 5000 /usr/bin/id
uid=72178(jorgelo) gid=5000(eng) groups=5000(eng)

Drop root while keeping some capabilities

# minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status
Name: cat
...
CapInh: 0000000000003000
CapPrm: 0000000000003000
CapEff: 0000000000003000
CapBnd: 0000000000003000