Google Git
Sign in
android / platform / external / minijail / refs/heads/android11-gsi
commit989efa4e0fc6123c245902aa9980c02afe035621[log] [tgz]
authorAlistair Delva <adelva@google.com>Thu Mar 11 08:04:44 2021 -0800
committerAlistair Delva <adelva@google.com>Sun Aug 21 17:46:42 2022 +0000
tree1d30eae120856e1e8886a6a035015420641c444b
parentf0f2025690102d014edef1bd7977dce522f104eb [diff]
ANDROID: Add io_uring_* syscall definitions

As an extension of aosp/1408990, make sure the new io_uring_* syscalls
are available to minijail, so it permits them in seccomp policy files.

This feature is being used by recent versions of crosvm.

Bug: 182373406
Change-Id: I2a30628dce5d768aabe8548b0cc64f4919d66582
(cherry picked from commit b5546ade64bf3c2112c3e4a889673be3a9072576)
1 file changed
tree: 1d30eae120856e1e8886a6a035015420641c444b
  1. .github/
  2. examples/
  3. linux-x86/
  4. test/
  5. tools/
  6. .clang-format
  7. .gitignore
  8. Android.bp
  9. arch.h
  10. bpf.c
  11. bpf.h
  12. build.rs
  13. Cargo.toml
  14. CleanSpec.mk
  15. common.mk
  16. CPPLINT.cfg
  17. dump_constants.cc
  18. elfparse.c
  19. elfparse.h
  20. gen_constants-inl.h
  21. gen_constants.c
  22. gen_constants.sh
  23. gen_syscalls-inl.h
  24. gen_syscalls.c
  25. gen_syscalls.sh
  26. get_googletest.sh
  27. HACKING.md
  28. lib.rs
  29. libconstants.h
  30. libminijail-private.h
  31. libminijail.c
  32. libminijail.h
  33. libminijail.pc.in
  34. libminijail.rs
  35. libminijail_unittest.cc
  36. libminijailpreload.c
  37. libsyscalls.h
  38. LICENSE
  39. Makefile
  40. minijail0.1
  41. minijail0.5
  42. minijail0.c
  43. minijail0_cli.c
  44. minijail0_cli.h
  45. minijail0_cli_unittest.cc
  46. MODULE_LICENSE_BSD
  47. navbar.md
  48. NOTICE
  49. OWNERS
  50. OWNERS.rust
  51. parse_seccomp_policy.cc
  52. platform2_preinstall.sh
  53. PRESUBMIT.cfg
  54. PREUPLOAD.cfg
  55. README.md
  56. RELEASE.md
  57. scoped_minijail.h
  58. setup.py
  59. signal_handler.c
  60. signal_handler.h
  61. syscall_filter.c
  62. syscall_filter.h
  63. syscall_filter_unittest.cc
  64. syscall_filter_unittest_macros.h
  65. syscall_wrapper.c
  66. syscall_wrapper.h
  67. system.c
  68. system.h
  69. system_unittest.cc
  70. TEST_MAPPING
  71. testrunner.cc
  72. util.c
  73. util.h
  74. util_unittest.cc
README.md

Minijail

The Minijail homepage and main repo is https://android.googlesource.com/platform/external/minijail/.

There might be other copies floating around, but this is the official one!

What is it?

Minijail is a sandboxing and containment tool used in Chrome OS and Android. It provides an executable that can be used to launch and sandbox other programs, and a library that can be used by code to sandbox itself.

Getting the code

You're one git clone away from happiness.

$ git clone https://android.googlesource.com/platform/external/minijail
$ cd minijail

Releases are tagged as linux-vXX: https://android.googlesource.com/platform/external/minijail/+refs

Building

See the HACKING.md document for more details.

Release process

See the RELEASE.md document for more details.

Additional tools

See the tools/README.md document for more details.

Contact

We've got a couple of contact points.

Talks and presentations

The following talk serves as a good introduction to Minijail and how it can be used.

Video, slides.

Example usage

The Chromium OS project has a comprehensive sandboxing document that is largely based on Minijail.

After you play with the simple examples below, you should check that out.

Change root to any user

# id
uid=0(root) gid=0(root) groups=0(root),128(pkcs11)
# minijail0 -u jorgelo -g 5000 /usr/bin/id
uid=72178(jorgelo) gid=5000(eng) groups=5000(eng)

Drop root while keeping some capabilities

# minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status
Name: cat
...
CapInh: 0000000000003000
CapPrm: 0000000000003000
CapEff: 0000000000003000
CapBnd: 0000000000003000