Google Git
Sign in
android / platform / external / minijail / fc81455b5afe2aa384dcbc4239a7b58e2a4f4a0e / . / README.md
blob: 9933c9da661369321dc2163e941d643f1a28f62d [file] [log] [blame] [view]
Mike Frysinger182d4522018-06-14 19:02:18 -0400[diff] [blame]1# Minijail
2
Jorge Lucangeli Obes58483092018-06-21 19:03:54 -0400[diff] [blame]3The Minijail homepage and main repo is
Mike Frysinger182d4522018-06-14 19:02:18 -0400[diff] [blame]4https://android.googlesource.com/platform/external/minijail/.
5
6There might be other copies floating around, but this is the official one!
7
8[TOC]
9
10## What is it?
11
Jorge Lucangeli Obes58483092018-06-21 19:03:54 -0400[diff] [blame]12Minijail is a sandboxing and containment tool used in Chrome OS and Android.
Mike Frysinger182d4522018-06-14 19:02:18 -0400[diff] [blame]13It provides an executable that can be used to launch and sandbox other programs,
14and a library that can be used by code to sandbox itself.
15
Jorge Lucangeli Obes58483092018-06-21 19:03:54 -0400[diff] [blame]16## Getting the code
Mike Frysinger182d4522018-06-14 19:02:18 -0400[diff] [blame]17
Jorge Lucangeli Obes58483092018-06-21 19:03:54 -0400[diff] [blame]18You're one `git clone` away from happiness.
Mike Frysinger182d4522018-06-14 19:02:18 -0400[diff] [blame]19
20```
21$ git clone https://android.googlesource.com/platform/external/minijail
22$ cd minijail
23```
24
25Releases are tagged as `linux-vXX`:
26https://android.googlesource.com/platform/external/minijail/+refs
27
28## Building
29
30See the [HACKING.md](./HACKING.md) document for more details.
31
Jorge Lucangeli Obes58483092018-06-21 19:03:54 -0400[diff] [blame]32## Release process
Mike Frysinger182d4522018-06-14 19:02:18 -0400[diff] [blame]33
34See the [RELEASE.md](./RELEASE.md) document for more details.
35
36## Contact
37
38We've got a couple of contact points.
39
40* [minijail@chromium.org]: Public user & developer mailing list.
41* [minijail-users@google.com]: Internal Google user mailing list.
42* [minijail-dev@google.com]: Internal Google developer mailing list.
43* [crbug.com/list]: Existing bug reports & feature requests.
44* [crbug.com/new]: File new bug reports & feature requests.
45* [AOSP Gerrit]: Code reviews.
46
47[minijail@chromium.org]: https://groups.google.com/a/chromium.org/forum/#!forum/minijail
48[minijail-users@google.com]: https://groups.google.com/a/google.com/forum/#!forum/minijail-users
49[minijail-dev@google.com]: https://groups.google.com/a/google.com/forum/#!forum/minijail-dev
50[crbug.com/list]: https://crbug.com/?q=component:OS>Systems>Minijail
51[crbug.com/new]: https://bugs.chromium.org/p/chromium/issues/entry?components=OS>Systems>Minijail
52[AOSP Gerrit]: https://android-review.googlesource.com/q/project:platform/external/minijail
53
Jorge Lucangeli Obes58483092018-06-21 19:03:54 -0400[diff] [blame]54## Talks and presentations
Mike Frysinger182d4522018-06-14 19:02:18 -0400[diff] [blame]55
56The following talk serves as a good introduction to Minijail and how it can be used.
57
58[Video](https://drive.google.com/file/d/0BwPS_JpKyELWZTFBcTVsa1hhYjA/preview),
59[slides](https://docs.google.com/presentation/d/1r6LpvDZtYrsl7ryOV4HtpUR-phfCLRL6PA-chcL1Kno/present).
60
Jorge Lucangeli Obes58483092018-06-21 19:03:54 -0400[diff] [blame]61## Example usage
Mike Frysinger182d4522018-06-14 19:02:18 -0400[diff] [blame]62
63The Chromium OS project has a comprehensive
64[sandboxing](https://chromium.googlesource.com/chromiumos/docs/+/master/sandboxing.md)
65document that is largely based on Minijail.
66
67After you play with the simple examples below, you should check that out.
68
69### Change root to any user
70
71```
72# id
73uid=0(root) gid=0(root) groups=0(root),128(pkcs11)
74# minijail0 -u jorgelo -g 5000 /usr/bin/id
75uid=72178(jorgelo) gid=5000(eng) groups=5000(eng)
76```
77
78### Drop root while keeping some capabilities
79
80```
81# minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status
82Name: cat
83...
84CapInh: 0000000000003000
85CapPrm: 0000000000003000
86CapEff: 0000000000003000
87CapBnd: 0000000000003000
88```