Google Git
Sign in
android / platform / external / minijail / 122319d67d969cc7c6c6c29aad81405694a8f63e
commit122319d67d969cc7c6c6c29aad81405694a8f63e[log] [tgz]
authorAlistair Delva <adelva@google.com>Mon Aug 24 13:54:16 2020 -0700
committerAlistair Delva <adelva@google.com>Sun Aug 21 17:49:46 2022 +0000
tree8598405c0e746127b27aea5efeb191dee21854a0
parente985d9a0f9f358a02745a7754638306ac934edea [diff]
Workarounds for Android host glibc toolchain

When minijail is built against the Android host glibc toolchain, its
syscall and ioctl coverage becomes limited by the very old Linux C
headers the toolchain is using. Because crosvm jails subprocesses
that can load e.g. GL libraries or FUSE which may be built with much
newer glibc versions, we need support for some newer syscalls and
ioctls added to Linux.

Minijail will throw parse errors for any syscall or ioctl in .policy
files that it doesn't understand; and anyway, it wouldn't be meaningful
to strip these, as .policy files are inclusion (not exclusion) based.

This change isn't very nice, but it does unblock us from running crosvm
built by the Android host toolchain with sandboxing enabled.

Change-Id: Iab7f2e7abac0f5e154e300833b8d91d7b8500aff
(cherry picked from commit 3b58ccb3072c5908c79d65339e886b344f49c5d1)
4 files changed
tree: 8598405c0e746127b27aea5efeb191dee21854a0
  1. examples/
  2. linux-x86/
  3. test/
  4. tools/
  5. .clang-format
  6. .gitignore
  7. Android.bp
  8. arch.h
  9. bpf.c
  10. bpf.h
  11. CleanSpec.mk
  12. common.mk
  13. CPPLINT.cfg
  14. dump_constants.cc
  15. elfparse.c
  16. elfparse.h
  17. gen_constants-inl.h
  18. gen_constants.c
  19. gen_constants.sh
  20. gen_syscalls-inl.h
  21. gen_syscalls.c
  22. gen_syscalls.sh
  23. get_googletest.sh
  24. HACKING.md
  25. libconstants.h
  26. libminijail-private.h
  27. libminijail.c
  28. libminijail.h
  29. libminijail.pc.in
  30. libminijail_unittest.cc
  31. libminijailpreload.c
  32. libsyscalls.h
  33. LICENSE
  34. Makefile
  35. minijail0.1
  36. minijail0.5
  37. minijail0.c
  38. minijail0_cli.c
  39. minijail0_cli.h
  40. minijail0_cli_unittest.cc
  41. MODULE_LICENSE_BSD
  42. navbar.md
  43. NOTICE
  44. OWNERS
  45. parse_seccomp_policy.cc
  46. platform2_preinstall.sh
  47. PRESUBMIT.cfg
  48. PREUPLOAD.cfg
  49. README.md
  50. RELEASE.md
  51. scoped_minijail.h
  52. signal_handler.c
  53. signal_handler.h
  54. syscall_filter.c
  55. syscall_filter.h
  56. syscall_filter_unittest.cc
  57. syscall_filter_unittest_macros.h
  58. syscall_wrapper.c
  59. syscall_wrapper.h
  60. system.c
  61. system.h
  62. system_unittest.cc
  63. testrunner.cc
  64. util.c
  65. util.h
  66. util_unittest.cc
README.md

Minijail

The Minijail homepage and main repo is https://android.googlesource.com/platform/external/minijail/.

There might be other copies floating around, but this is the official one!

What is it?

Minijail is a sandboxing and containment tool used in Chrome OS and Android. It provides an executable that can be used to launch and sandbox other programs, and a library that can be used by code to sandbox itself.

Getting the code

You're one git clone away from happiness.

$ git clone https://android.googlesource.com/platform/external/minijail
$ cd minijail

Releases are tagged as linux-vXX: https://android.googlesource.com/platform/external/minijail/+refs

Building

See the HACKING.md document for more details.

Release process

See the RELEASE.md document for more details.

Contact

We've got a couple of contact points.

Talks and presentations

The following talk serves as a good introduction to Minijail and how it can be used.

Video, slides.

Example usage

The Chromium OS project has a comprehensive sandboxing document that is largely based on Minijail.

After you play with the simple examples below, you should check that out.

Change root to any user

# id
uid=0(root) gid=0(root) groups=0(root),128(pkcs11)
# minijail0 -u jorgelo -g 5000 /usr/bin/id
uid=72178(jorgelo) gid=5000(eng) groups=5000(eng)

Drop root while keeping some capabilities

# minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status
Name: cat
...
CapInh: 0000000000003000
CapPrm: 0000000000003000
CapEff: 0000000000003000
CapBnd: 0000000000003000