Google Git
Sign in
android / platform / external / minijail / f0f2025690102d014edef1bd7977dce522f104eb
commitf0f2025690102d014edef1bd7977dce522f104eb[log] [tgz]
authorAlistair Delva <[email protected]>Mon Aug 24 13:54:16 2020 -0700
committerAlistair Delva <[email protected]>Sun Aug 21 17:46:13 2022 +0000
treea1f26c814b2477ca5757bdb3ef01c8d3e12a2b63
parenta5b3488a00dbf466ef96f65fd958aa54bd0ddaca [diff]
Workarounds for Android host glibc toolchain

When minijail is built against the Android host glibc toolchain, its
syscall and ioctl coverage becomes limited by the very old Linux C
headers the toolchain is using. Because crosvm jails subprocesses
that can load e.g. GL libraries or FUSE which may be built with much
newer glibc versions, we need support for some newer syscalls and
ioctls added to Linux.

Minijail will throw parse errors for any syscall or ioctl in .policy
files that it doesn't understand; and anyway, it wouldn't be meaningful
to strip these, as .policy files are inclusion (not exclusion) based.

This change isn't very nice, but it does unblock us from running crosvm
built by the Android host toolchain with sandboxing enabled.

Change-Id: Iab7f2e7abac0f5e154e300833b8d91d7b8500aff
(cherry picked from commit 3b58ccb3072c5908c79d65339e886b344f49c5d1)
4 files changed
tree: a1f26c814b2477ca5757bdb3ef01c8d3e12a2b63
  1. .github/
  2. examples/
  3. linux-x86/
  4. test/
  5. tools/
  6. .clang-format
  7. .gitignore
  8. Android.bp
  9. arch.h
  10. bpf.c
  11. bpf.h
  12. build.rs
  13. Cargo.toml
  14. CleanSpec.mk
  15. common.mk
  16. CPPLINT.cfg
  17. dump_constants.cc
  18. elfparse.c
  19. elfparse.h
  20. gen_constants-inl.h
  21. gen_constants.c
  22. gen_constants.sh
  23. gen_syscalls-inl.h
  24. gen_syscalls.c
  25. gen_syscalls.sh
  26. get_googletest.sh
  27. HACKING.md
  28. lib.rs
  29. libconstants.h
  30. libminijail-private.h
  31. libminijail.c
  32. libminijail.h
  33. libminijail.pc.in
  34. libminijail.rs
  35. libminijail_unittest.cc
  36. libminijailpreload.c
  37. libsyscalls.h
  38. LICENSE
  39. Makefile
  40. minijail0.1
  41. minijail0.5
  42. minijail0.c
  43. minijail0_cli.c
  44. minijail0_cli.h
  45. minijail0_cli_unittest.cc
  46. MODULE_LICENSE_BSD
  47. navbar.md
  48. NOTICE
  49. OWNERS
  50. OWNERS.rust
  51. parse_seccomp_policy.cc
  52. platform2_preinstall.sh
  53. PRESUBMIT.cfg
  54. PREUPLOAD.cfg
  55. README.md
  56. RELEASE.md
  57. scoped_minijail.h
  58. setup.py
  59. signal_handler.c
  60. signal_handler.h
  61. syscall_filter.c
  62. syscall_filter.h
  63. syscall_filter_unittest.cc
  64. syscall_filter_unittest_macros.h
  65. syscall_wrapper.c
  66. syscall_wrapper.h
  67. system.c
  68. system.h
  69. system_unittest.cc
  70. TEST_MAPPING
  71. testrunner.cc
  72. util.c
  73. util.h
  74. util_unittest.cc
README.md

Minijail

The Minijail homepage and main repo is https://android.googlesource.com/platform/external/minijail/.

There might be other copies floating around, but this is the official one!

What is it?

Minijail is a sandboxing and containment tool used in Chrome OS and Android. It provides an executable that can be used to launch and sandbox other programs, and a library that can be used by code to sandbox itself.

Getting the code

You're one git clone away from happiness.

$ git clone https://android.googlesource.com/platform/external/minijail
$ cd minijail

Releases are tagged as linux-vXX: https://android.googlesource.com/platform/external/minijail/+refs

Building

See the HACKING.md document for more details.

Release process

See the RELEASE.md document for more details.

Additional tools

See the tools/README.md document for more details.

Contact

We've got a couple of contact points.

Talks and presentations

The following talk serves as a good introduction to Minijail and how it can be used.

Video, slides.

Example usage

The Chromium OS project has a comprehensive sandboxing document that is largely based on Minijail.

After you play with the simple examples below, you should check that out.

Change root to any user

# id
uid=0(root) gid=0(root) groups=0(root),128(pkcs11)
# minijail0 -u jorgelo -g 5000 /usr/bin/id
uid=72178(jorgelo) gid=5000(eng) groups=5000(eng)

Drop root while keeping some capabilities

# minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status
Name: cat
...
CapInh: 0000000000003000
CapPrm: 0000000000003000
CapEff: 0000000000003000
CapBnd: 0000000000003000