README.md - platform/external/minijail - Git at Google

 # Minijail

 The Minijail homepage is
 https://google.github.io/minijail/.

 The main source repo is
 https://android.googlesource.com/platform/external/minijail/.

 There might be other copies floating around, but this is the official one!

 [TOC]

 ## What is it?

 Minijail is a sandboxing and containment tool used in Chrome OS and Android.
 It provides an executable that can be used to launch and sandbox other programs,
 and a library that can be used by code to sandbox itself.

 ## Getting the code

 You're one `git clone` away from happiness.

 ```
 $ git clone https://android.googlesource.com/platform/external/minijail
 $ cd minijail
 ```

 Releases are tagged as `linux-vXX`:
 https://android.googlesource.com/platform/external/minijail/+refs

 ## Building

 See the [HACKING.md](./HACKING.md) document for more details.

 ## Release process

 See the [RELEASE.md](./RELEASE.md) document for more details.

 ## Additional tools

 See the [tools/README.md](./tools/README.md) document for more details.

 ## Contact

 We've got a couple of contact points.

 * [minijail@chromium.org]: Public user & developer mailing list.
 * [minijail-users@google.com]: Internal Google user mailing list.
 * [minijail-dev@google.com]: Internal Google developer mailing list.
 * [crbug.com/list]: Existing bug reports & feature requests.
 * [crbug.com/new]: File new bug reports & feature requests.
 * [AOSP Gerrit]: Code reviews.

 [minijail@chromium.org]: https://groups.google.com/a/chromium.org/forum/#!forum/minijail
 [minijail-users@google.com]: https://groups.google.com/a/google.com/forum/#!forum/minijail-users
 [minijail-dev@google.com]: https://groups.google.com/a/google.com/forum/#!forum/minijail-dev
 [crbug.com/list]: https://crbug.com/?q=component:OS>Systems>Minijail
 [crbug.com/new]: https://bugs.chromium.org/p/chromium/issues/entry?components=OS>Systems>Minijail
 [AOSP Gerrit]: https://android-review.googlesource.com/q/project:platform/external/minijail

 ## Talks and presentations

 The following talk serves as a good introduction to Minijail and how it can be used.

 [Video](https://drive.google.com/file/d/0BwPS_JpKyELWZTFBcTVsa1hhYjA/preview),
 [slides](https://docs.google.com/presentation/d/e/2PACX-1vRBqpin5xR9sng6lIBPjG0XQtu-uWWgr0ds-M3zW13XpDO-bTcMERLwoHUEB9078p1yqr9L-su9n5dk/pub).

 ## Example usage

 The Chromium OS project has a comprehensive
 [sandboxing](https://chromium.googlesource.com/chromiumos/docs/+/master/sandboxing.md)
 document that is largely based on Minijail.

 After you play with the simple examples below, you should check that out.

 ### Change root to any user

 ```
 # id
 uid=0(root) gid=0(root) groups=0(root),128(pkcs11)
 # minijail0 -u jorgelo -g 5000 /usr/bin/id
 uid=72178(jorgelo) gid=5000(eng) groups=5000(eng)
 ```

 ### Drop root while keeping some capabilities

 ```
 # minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status
 Name: cat
 ...
 CapInh: 0000000000003000
 CapPrm: 0000000000003000
 CapEff: 0000000000003000
 CapBnd: 0000000000003000
 ```

 ## Historical notes

 Q. "Why is it called minijail0?"

 A. It is minijail0 because it was a rewrite of an earlier program named
 minijail, which was considerably less mini, and in particular had a dependency
 on libchrome (the Chrome OS packaged version of Chromium's //base).  We needed a
 new name to not collide with the deprecated one.

 We didn't want to call it minijail2 or something that would make people
 start using it before we were ready, and it was also concretely _less_ since it
 dropped libbase, etc.  Technically, we needed to be able to fork/preload with
 minimal extra syscall noise which was too hard with libbase at the time (onexit
 handlers, etc that called syscalls we didn't want to allow).  Also, Elly made a
 strong case that C would be the right choice for this for linking and ease of
 controlled surprise system call use.

 https://crrev.com/c/4585/ added the original implementation.

 Source: Conversations with original authors, ellyjones@ and wad@.

 ## How to manually upgrade Minijail on Chrome OS

 Minijail is manually upgraded on Chrome OS so that there is a way to test
 changes in the Chrome OS commit queue. Committed changes have already passed
 Android's presubmit checks, but the ebuild upgrade CL goes through the Chrome
 OS commit queue and must pass the tests before any additional changes are
 available for use on Chrome OS. To upgrade minijail on Chrome OS, complete the
 following steps.

 ```bash
 # Sync Minijail repo
 cd ~/chromiumos/src/aosp/external/minijail
 git checkout m/main
 repo sync .

 # Set up local branch.
 cd ~/trunk/src/third_party/chromiumos-overlay/
 repo start minijail .  # replace minijail with the local branch name you want.

 # Run upgrade script.
 ~/trunk/chromite/scripts/cros_uprev --force --overlay-type public \
   --packages chromeos-base/minijail:dev-rust/minijail-sys:dev-rust/minijail
 ```

 At this point the Minijail-related packages should be upgraded, so you may want
 to add the changes to a commit and do some local testing before uploading a
 change list. Here are the recommended local tests to try (make sure you are
 **not** working on the minijail packages first i.e. `cros_workon list-all`):

 ```bash
 # Check build.
 ./build_packages --board=${BOARD}

 # Check unit tests.
 FEATURES=test emerge-${BOARD} chromeos-base/minijail dev-rust/minijail-sys \
   dev-rust/minijail

 # Check integration tests.
 cros deploy <DUT> chromeos-base/minijail
 tast run <DUT> security.Minijail.* security.MinijailSeccomp
 ```

 Finally, when uploading the CL make sure to include the list of changes
 since the last uprev. The command to generate the list is as follows:
 ```bash
 git log --oneline --no-merges <previous hash in ebuild file>..HEAD
 ```
	# Minijail

	The Minijail homepage is
	https://google.github.io/minijail/.

	The main source repo is
	https://android.googlesource.com/platform/external/minijail/.

	There might be other copies floating around, but this is the official one!

	[TOC]

	## What is it?

	Minijail is a sandboxing and containment tool used in Chrome OS and Android.
	It provides an executable that can be used to launch and sandbox other programs,
	and a library that can be used by code to sandbox itself.

	## Getting the code

	You're one `git clone` away from happiness.

	```
	$ git clone https://android.googlesource.com/platform/external/minijail
	$ cd minijail
	```

	Releases are tagged as `linux-vXX`:
	https://android.googlesource.com/platform/external/minijail/+refs

	## Building

	See the [HACKING.md](./HACKING.md) document for more details.

	## Release process

	See the [RELEASE.md](./RELEASE.md) document for more details.

	## Additional tools

	See the [tools/README.md](./tools/README.md) document for more details.

	## Contact

	We've got a couple of contact points.

	* [minijail@chromium.org]: Public user & developer mailing list.
	* [minijail-users@google.com]: Internal Google user mailing list.
	* [minijail-dev@google.com]: Internal Google developer mailing list.
	* [crbug.com/list]: Existing bug reports & feature requests.
	* [crbug.com/new]: File new bug reports & feature requests.
	* [AOSP Gerrit]: Code reviews.

	[minijail@chromium.org]: https://groups.google.com/a/chromium.org/forum/#!forum/minijail
	[minijail-users@google.com]: https://groups.google.com/a/google.com/forum/#!forum/minijail-users
	[minijail-dev@google.com]: https://groups.google.com/a/google.com/forum/#!forum/minijail-dev
	[crbug.com/list]: https://crbug.com/?q=component:OS>Systems>Minijail
	[crbug.com/new]: https://bugs.chromium.org/p/chromium/issues/entry?components=OS>Systems>Minijail
	[AOSP Gerrit]: https://android-review.googlesource.com/q/project:platform/external/minijail

	## Talks and presentations

	The following talk serves as a good introduction to Minijail and how it can be used.

	[Video](https://drive.google.com/file/d/0BwPS_JpKyELWZTFBcTVsa1hhYjA/preview),
	[slides](https://docs.google.com/presentation/d/e/2PACX-1vRBqpin5xR9sng6lIBPjG0XQtu-uWWgr0ds-M3zW13XpDO-bTcMERLwoHUEB9078p1yqr9L-su9n5dk/pub).

	## Example usage

	The Chromium OS project has a comprehensive
	[sandboxing](https://chromium.googlesource.com/chromiumos/docs/+/master/sandboxing.md)
	document that is largely based on Minijail.

	After you play with the simple examples below, you should check that out.

	### Change root to any user

	```
	# id
	uid=0(root) gid=0(root) groups=0(root),128(pkcs11)
	# minijail0 -u jorgelo -g 5000 /usr/bin/id
	uid=72178(jorgelo) gid=5000(eng) groups=5000(eng)
	```

	### Drop root while keeping some capabilities

	```
	# minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status
	Name: cat
	...
	CapInh: 0000000000003000
	CapPrm: 0000000000003000
	CapEff: 0000000000003000
	CapBnd: 0000000000003000
	```

	## Historical notes

	Q. "Why is it called minijail0?"

	A. It is minijail0 because it was a rewrite of an earlier program named
	minijail, which was considerably less mini, and in particular had a dependency
	on libchrome (the Chrome OS packaged version of Chromium's //base). We needed a
	new name to not collide with the deprecated one.

	We didn't want to call it minijail2 or something that would make people
	start using it before we were ready, and it was also concretely _less_ since it
	dropped libbase, etc. Technically, we needed to be able to fork/preload with
	minimal extra syscall noise which was too hard with libbase at the time (onexit
	handlers, etc that called syscalls we didn't want to allow). Also, Elly made a
	strong case that C would be the right choice for this for linking and ease of
	controlled surprise system call use.

	https://crrev.com/c/4585/ added the original implementation.

	Source: Conversations with original authors, ellyjones@ and wad@.

	## How to manually upgrade Minijail on Chrome OS

	Minijail is manually upgraded on Chrome OS so that there is a way to test
	changes in the Chrome OS commit queue. Committed changes have already passed
	Android's presubmit checks, but the ebuild upgrade CL goes through the Chrome
	OS commit queue and must pass the tests before any additional changes are
	available for use on Chrome OS. To upgrade minijail on Chrome OS, complete the
	following steps.

	```bash
	# Sync Minijail repo
	cd ~/chromiumos/src/aosp/external/minijail
	git checkout m/main
	repo sync .

	# Set up local branch.
	cd ~/trunk/src/third_party/chromiumos-overlay/
	repo start minijail . # replace minijail with the local branch name you want.

	# Run upgrade script.
	~/trunk/chromite/scripts/cros_uprev --force --overlay-type public \
	--packages chromeos-base/minijail:dev-rust/minijail-sys:dev-rust/minijail
	```

	At this point the Minijail-related packages should be upgraded, so you may want
	to add the changes to a commit and do some local testing before uploading a
	change list. Here are the recommended local tests to try (make sure you are
	not working on the minijail packages first i.e. `cros_workon list-all`):

	```bash
	# Check build.
	./build_packages --board=${BOARD}

	# Check unit tests.
	FEATURES=test emerge-${BOARD} chromeos-base/minijail dev-rust/minijail-sys \
	dev-rust/minijail

	# Check integration tests.
	cros deploy <DUT> chromeos-base/minijail
	tast run <DUT> security.Minijail.* security.MinijailSeccomp
	```

	Finally, when uploading the CL make sure to include the list of changes
	since the last uprev. The command to generate the list is as follows:
	```bash
	git log --oneline --no-merges <previous hash in ebuild file>..HEAD
	```