Google Git
Sign in
android / platform / external / minijail / 255a8e2879edb49f395f819e2f8590b40a8284ed
commit255a8e2879edb49f395f819e2f8590b40a8284ed[log] [tgz]
authorJorge Lucangeli Obes <jorgelo@google.com>Thu Apr 11 14:34:41 2019 -0400
committerJorge Lucangeli Obes <jorgelo@google.com>Fri Apr 12 15:37:22 2019 -0400
tree8ff3055e46497cb15887286b112ef4ac49d411b8
parenteb42bb786a78ae7c54bb891d80cde55020fc32a7 [diff]
Make pidfile writing "more" atomic.

We were seeing races in tests where the pidfile was being opened
before the actual writing had taken place. Fix this by using the
classic writing to a temp file and renaming.

Bug: chromium:949357
Test: Existing unit tests.

Change-Id: Ib218f75731eaa22f348fd8eca6549ef638c255f7
2 files changed
tree: 8ff3055e46497cb15887286b112ef4ac49d411b8
  1. examples/
  2. linux-x86/
  3. test/
  4. tools/
  5. .clang-format
  6. .gitignore
  7. Android.bp
  8. arch.h
  9. bpf.c
  10. bpf.h
  11. CleanSpec.mk
  12. common.mk
  13. CPPLINT.cfg
  14. dump_constants.cc
  15. elfparse.c
  16. elfparse.h
  17. gen_constants-inl.h
  18. gen_constants.c
  19. gen_constants.sh
  20. gen_syscalls.c
  21. gen_syscalls.sh
  22. get_googletest.sh
  23. HACKING.md
  24. libconstants.h
  25. libminijail-private.h
  26. libminijail.c
  27. libminijail.h
  28. libminijail.pc.in
  29. libminijail_unittest.cc
  30. libminijailpreload.c
  31. libsyscalls.h
  32. LICENSE
  33. Makefile
  34. minijail0.1
  35. minijail0.5
  36. minijail0.c
  37. minijail0_cli.c
  38. minijail0_cli.h
  39. minijail0_cli_unittest.cc
  40. MODULE_LICENSE_BSD
  41. navbar.md
  42. NOTICE
  43. OWNERS
  44. parse_seccomp_policy.cc
  45. platform2_preinstall.sh
  46. PRESUBMIT.cfg
  47. PREUPLOAD.cfg
  48. README.md
  49. RELEASE.md
  50. scoped_minijail.h
  51. signal_handler.c
  52. signal_handler.h
  53. syscall_filter.c
  54. syscall_filter.h
  55. syscall_filter_unittest.cc
  56. syscall_filter_unittest_macros.h
  57. syscall_wrapper.c
  58. syscall_wrapper.h
  59. system.c
  60. system.h
  61. system_unittest.cc
  62. testrunner.cc
  63. util.c
  64. util.h
  65. util_unittest.cc
README.md

Minijail

The Minijail homepage and main repo is https://android.googlesource.com/platform/external/minijail/.

There might be other copies floating around, but this is the official one!

What is it?

Minijail is a sandboxing and containment tool used in Chrome OS and Android. It provides an executable that can be used to launch and sandbox other programs, and a library that can be used by code to sandbox itself.

Getting the code

You're one git clone away from happiness.

$ git clone https://android.googlesource.com/platform/external/minijail
$ cd minijail

Releases are tagged as linux-vXX: https://android.googlesource.com/platform/external/minijail/+refs

Building

See the HACKING.md document for more details.

Release process

See the RELEASE.md document for more details.

Contact

We've got a couple of contact points.

Talks and presentations

The following talk serves as a good introduction to Minijail and how it can be used.

Video, slides.

Example usage

The Chromium OS project has a comprehensive sandboxing document that is largely based on Minijail.

After you play with the simple examples below, you should check that out.

Change root to any user

# id
uid=0(root) gid=0(root) groups=0(root),128(pkcs11)
# minijail0 -u jorgelo -g 5000 /usr/bin/id
uid=72178(jorgelo) gid=5000(eng) groups=5000(eng)

Drop root while keeping some capabilities

# minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status
Name: cat
...
CapInh: 0000000000003000
CapPrm: 0000000000003000
CapEff: 0000000000003000
CapBnd: 0000000000003000