syscall_filter: fix multiline parsing with more than one line

The return value of the getmultiline helper wasn't returning the full
length of the string, just the first half.  This caused us to fail to
parse more than one line continuation.

Bug: None
Test: unittests pass (with updated test case)
Change-Id: I4356e14fb00a8c295cae481c4d578efe3c7e83fd
2 files changed
tree: 4a41e2d12fee9dd28d615d4e923b38b5be95b72e
  1. .clang-format
  2. .gitignore
  3. Android.bp
  4. CPPLINT.cfg
  5. CleanSpec.mk
  6. HACKING.md
  7. LICENSE
  8. MODULE_LICENSE_BSD
  9. Makefile
  10. NOTICE
  11. OWNERS
  12. PRESUBMIT.cfg
  13. PREUPLOAD.cfg
  14. README.md
  15. RELEASE.md
  16. arch.h
  17. bpf.c
  18. bpf.h
  19. common.mk
  20. dump_constants.cc
  21. elfparse.c
  22. elfparse.h
  23. examples/
  24. gen_constants-inl.h
  25. gen_constants.c
  26. gen_constants.sh
  27. gen_syscalls.c
  28. gen_syscalls.sh
  29. get_googletest.sh
  30. libconstants.h
  31. libminijail-private.h
  32. libminijail.c
  33. libminijail.h
  34. libminijail.pc.in
  35. libminijail_unittest.cc
  36. libminijailpreload.c
  37. libsyscalls.h
  38. linux-x86/
  39. minijail0.1
  40. minijail0.5
  41. minijail0.c
  42. minijail0_cli.c
  43. minijail0_cli.h
  44. minijail0_cli_unittest.cc
  45. navbar.md
  46. parse_seccomp_policy.cc
  47. platform2_preinstall.sh
  48. scoped_minijail.h
  49. signal_handler.c
  50. signal_handler.h
  51. syscall_filter.c
  52. syscall_filter.h
  53. syscall_filter_unittest.cc
  54. syscall_filter_unittest_macros.h
  55. syscall_wrapper.c
  56. syscall_wrapper.h
  57. system.c
  58. system.h
  59. system_unittest.cc
  60. test/
  61. testrunner.cc
  62. tools/
  63. util.c
  64. util.h
  65. util_unittest.cc
README.md

Minijail

The Minijail homepage and main repo is https://android.googlesource.com/platform/external/minijail/.

There might be other copies floating around, but this is the official one!

What is it?

Minijail is a sandboxing and containment tool used in Chrome OS and Android. It provides an executable that can be used to launch and sandbox other programs, and a library that can be used by code to sandbox itself.

Getting the code

You're one git clone away from happiness.

$ git clone https://android.googlesource.com/platform/external/minijail
$ cd minijail

Releases are tagged as linux-vXX: https://android.googlesource.com/platform/external/minijail/+refs

Building

See the HACKING.md document for more details.

Release process

See the RELEASE.md document for more details.

Contact

We've got a couple of contact points.

Talks and presentations

The following talk serves as a good introduction to Minijail and how it can be used.

Video, slides.

Example usage

The Chromium OS project has a comprehensive sandboxing document that is largely based on Minijail.

After you play with the simple examples below, you should check that out.

Change root to any user

# id
uid=0(root) gid=0(root) groups=0(root),128(pkcs11)
# minijail0 -u jorgelo -g 5000 /usr/bin/id
uid=72178(jorgelo) gid=5000(eng) groups=5000(eng)

Drop root while keeping some capabilities

# minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status
Name: cat
...
CapInh: 0000000000003000
CapPrm: 0000000000003000
CapEff: 0000000000003000
CapBnd: 0000000000003000