Build minijail as rust crate

minijail isn't packaged for normal Linux systems. Package it as a crate so it
can be built into the crosvm binary when minijail isn't available via
pkg-config.

BUG=chromium:1032360
TEST=cargo build

Change-Id: I7939d02399b28fe55fcd53fddec246e6129b4181
9 files changed
tree: 2ee7f7ea8ef56baafc5792d510313a8e40db1e16
  1. .clang-format
  2. .gitignore
  3. Android.bp
  4. CPPLINT.cfg
  5. Cargo.toml
  6. CleanSpec.mk
  7. HACKING.md
  8. LICENSE
  9. MODULE_LICENSE_BSD
  10. Makefile
  11. NOTICE
  12. OWNERS
  13. OWNERS.rust
  14. PRESUBMIT.cfg
  15. PREUPLOAD.cfg
  16. README.md
  17. RELEASE.md
  18. TEST_MAPPING
  19. arch.h
  20. bpf.c
  21. bpf.h
  22. build.rs
  23. common.mk
  24. dump_constants.cc
  25. elfparse.c
  26. elfparse.h
  27. examples/
  28. gen_constants-inl.h
  29. gen_constants.c
  30. gen_constants.sh
  31. gen_syscalls.c
  32. gen_syscalls.sh
  33. get_googletest.sh
  34. lib.rs
  35. libconstants.h
  36. libminijail-private.h
  37. libminijail.c
  38. libminijail.h
  39. libminijail.pc.in
  40. libminijail.rs
  41. libminijail_unittest.cc
  42. libminijailpreload.c
  43. libsyscalls.h
  44. linux-x86/
  45. minijail0.1
  46. minijail0.5
  47. minijail0.c
  48. minijail0_cli.c
  49. minijail0_cli.h
  50. minijail0_cli_unittest.cc
  51. navbar.md
  52. parse_seccomp_policy.cc
  53. platform2_preinstall.sh
  54. scoped_minijail.h
  55. signal_handler.c
  56. signal_handler.h
  57. syscall_filter.c
  58. syscall_filter.h
  59. syscall_filter_unittest.cc
  60. syscall_filter_unittest_macros.h
  61. syscall_wrapper.c
  62. syscall_wrapper.h
  63. system.c
  64. system.h
  65. system_unittest.cc
  66. test/
  67. testrunner.cc
  68. tools/
  69. util.c
  70. util.h
  71. util_unittest.cc
README.md

Minijail

The Minijail homepage and main repo is https://android.googlesource.com/platform/external/minijail/.

There might be other copies floating around, but this is the official one!

What is it?

Minijail is a sandboxing and containment tool used in Chrome OS and Android. It provides an executable that can be used to launch and sandbox other programs, and a library that can be used by code to sandbox itself.

Getting the code

You're one git clone away from happiness.

$ git clone https://android.googlesource.com/platform/external/minijail
$ cd minijail

Releases are tagged as linux-vXX: https://android.googlesource.com/platform/external/minijail/+refs

Building

See the HACKING.md document for more details.

Release process

See the RELEASE.md document for more details.

Contact

We've got a couple of contact points.

Talks and presentations

The following talk serves as a good introduction to Minijail and how it can be used.

Video, slides.

Example usage

The Chromium OS project has a comprehensive sandboxing document that is largely based on Minijail.

After you play with the simple examples below, you should check that out.

Change root to any user

# id
uid=0(root) gid=0(root) groups=0(root),128(pkcs11)
# minijail0 -u jorgelo -g 5000 /usr/bin/id
uid=72178(jorgelo) gid=5000(eng) groups=5000(eng)

Drop root while keeping some capabilities

# minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status
Name: cat
...
CapInh: 0000000000003000
CapPrm: 0000000000003000
CapEff: 0000000000003000
CapBnd: 0000000000003000