Clone this repo:
  1. cb4ae32 parse_seccomp_policy: Add a --dump flag by Luis Hector Chavez · 8 days ago master
  2. a30a206 Add the 'e' flag to all fopen(3) calls by Luis Hector Chavez · 9 days ago
  3. c5f4f47 More RAII for system_unittests by Luis Hector Chavez · 10 days ago
  4. 0bacbf8 minijail: Copy the mount flags from source when bind-mounting by Luis Hector Chavez · 11 days ago
  5. 6bdebb0 minijail: Use std::string for the system_unittests by Luis Hector Chavez · 11 days ago

Minijail

The Minijail homepage & main repo is https://android.googlesource.com/platform/external/minijail/.

There might be other copies floating around, but this is the official one!

What is it?

Minijail is a sandboxing and containment tool used in Chrome OS, and Android. It provides an executable that can be used to launch and sandbox other programs, and a library that can be used by code to sandbox itself.

Getting The Code

You're one git clone away from happiness.

$ git clone https://android.googlesource.com/platform/external/minijail
$ cd minijail

Releases are tagged as linux-vXX: https://android.googlesource.com/platform/external/minijail/+refs

Building

See the HACKING.md document for more details.

Release Process

See the RELEASE.md document for more details.

Contact

We've got a couple of contact points.

Talks and Presentations

The following talk serves as a good introduction to Minijail and how it can be used.

Video, slides.

Example Usage

The Chromium OS project has a comprehensive sandboxing document that is largely based on Minijail.

After you play with the simple examples below, you should check that out.

Change root to any user

# id
uid=0(root) gid=0(root) groups=0(root),128(pkcs11)
# minijail0 -u jorgelo -g 5000 /usr/bin/id
uid=72178(jorgelo) gid=5000(eng) groups=5000(eng)

Drop root while keeping some capabilities

# minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status
Name: cat
...
CapInh: 0000000000003000
CapPrm: 0000000000003000
CapEff: 0000000000003000
CapBnd: 0000000000003000