Add instructions for using the seccomp compiler successfully.

There are quite a few requirements to be able to use the seccomp
compiler sucessfully, the trickiest of which is the 'constants.json'
file which is required by the compiler and uses LLVM IR files as input.

Leave enough breadcrumbs so that occasional users can figure out what
they need to do.

Also fix some style nits.

Bug: crbug.com/1162326
Test: generate_constants_json.py -h, compile_seccomp_policy.py -h,
Test: generate_seccomp_policy.py -h
Change-Id: I00ea7d9af3cf854ea8b084048533194a4edabd42
3 files changed
tree: d4899b5a0adaf8a14886be19e55775c5d83dda74
  1. .clang-format
  2. .github/
  3. .gitignore
  4. Android.bp
  5. CPPLINT.cfg
  6. CleanSpec.mk
  7. HACKING.md
  8. LICENSE
  9. METADATA
  10. MODULE_LICENSE_BSD
  11. Makefile
  12. NOTICE
  13. OWNERS
  14. OWNERS.rust
  15. PRESUBMIT.cfg
  16. PREUPLOAD.cfg
  17. README.md
  18. RELEASE.md
  19. TEST_MAPPING
  20. arch.h
  21. bpf.c
  22. bpf.h
  23. common.mk
  24. dump_constants.cc
  25. elfparse.c
  26. elfparse.h
  27. examples/
  28. gen_constants-inl.h
  29. gen_constants.c
  30. gen_constants.sh
  31. gen_syscalls-inl.h
  32. gen_syscalls.c
  33. gen_syscalls.sh
  34. get_googletest.sh
  35. libconstants.h
  36. libminijail-private.h
  37. libminijail.c
  38. libminijail.h
  39. libminijail.pc.in
  40. libminijail_unittest.cc
  41. libminijailpreload.c
  42. libsyscalls.h
  43. linux-x86/
  44. minijail0.1
  45. minijail0.5
  46. minijail0.c
  47. minijail0.sh
  48. minijail0_cli.c
  49. minijail0_cli.h
  50. minijail0_cli_unittest.cc
  51. navbar.md
  52. parse_seccomp_policy.cc
  53. platform2_preinstall.sh
  54. rust/
  55. scoped_minijail.h
  56. setup.py
  57. signal_handler.c
  58. signal_handler.h
  59. syscall_filter.c
  60. syscall_filter.h
  61. syscall_filter_unittest.cc
  62. syscall_filter_unittest_macros.h
  63. syscall_wrapper.c
  64. syscall_wrapper.h
  65. system.c
  66. system.h
  67. system_unittest.cc
  68. test/
  69. testrunner.cc
  70. tools/
  71. util.c
  72. util.h
  73. util_unittest.cc
README.md

Minijail

The Minijail homepage is https://google.github.io/minijail/.

The main source repo is https://android.googlesource.com/platform/external/minijail/.

There might be other copies floating around, but this is the official one!

What is it?

Minijail is a sandboxing and containment tool used in Chrome OS and Android. It provides an executable that can be used to launch and sandbox other programs, and a library that can be used by code to sandbox itself.

Getting the code

You're one git clone away from happiness.

$ git clone https://android.googlesource.com/platform/external/minijail
$ cd minijail

Releases are tagged as linux-vXX: https://android.googlesource.com/platform/external/minijail/+refs

Building

See the HACKING.md document for more details.

Release process

See the RELEASE.md document for more details.

Additional tools

See the tools/README.md document for more details.

Contact

We've got a couple of contact points.

Talks and presentations

The following talk serves as a good introduction to Minijail and how it can be used.

Video, slides.

Example usage

The Chromium OS project has a comprehensive sandboxing document that is largely based on Minijail.

After you play with the simple examples below, you should check that out.

Change root to any user

# id
uid=0(root) gid=0(root) groups=0(root),128(pkcs11)
# minijail0 -u jorgelo -g 5000 /usr/bin/id
uid=72178(jorgelo) gid=5000(eng) groups=5000(eng)

Drop root while keeping some capabilities

# minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status
Name: cat
...
CapInh: 0000000000003000
CapPrm: 0000000000003000
CapEff: 0000000000003000
CapBnd: 0000000000003000