1 # Minijail 2 3 The Minijail homepage and main repo is 4 https://android.googlesource.com/platform/external/minijail/. 5 6 There might be other copies floating around, but this is the official one! 7 8 [TOC] 9 10 ## What is it? 11 12 Minijail is a sandboxing and containment tool used in Chrome OS and Android. 13 It provides an executable that can be used to launch and sandbox other programs, 14 and a library that can be used by code to sandbox itself. 15 16 ## Getting the code 17 18 You're one `git clone` away from happiness. 19 20 ``` 21 $ git clone https://android.googlesource.com/platform/external/minijail 22 $ cd minijail 23 ``` 24 25 Releases are tagged as `linux-vXX`: 26 https://android.googlesource.com/platform/external/minijail/+refs 27 28 ## Building 29 30 See the [HACKING.md](./HACKING.md) document for more details. 31 32 ## Release process 33 34 See the [RELEASE.md](./RELEASE.md) document for more details. 35 36 ## Contact 37 38 We've got a couple of contact points. 39 40 * [minijail (a] chromium.org]: Public user & developer mailing list. 41 * [minijail-users (a] google.com]: Internal Google user mailing list. 42 * [minijail-dev (a] google.com]: Internal Google developer mailing list. 43 * [crbug.com/list]: Existing bug reports & feature requests. 44 * [crbug.com/new]: File new bug reports & feature requests. 45 * [AOSP Gerrit]: Code reviews. 46 47 [minijail (a] chromium.org]: https://groups.google.com/a/chromium.org/forum/#!forum/minijail 48 [minijail-users (a] google.com]: https://groups.google.com/a/google.com/forum/#!forum/minijail-users 49 [minijail-dev (a] google.com]: https://groups.google.com/a/google.com/forum/#!forum/minijail-dev 50 [crbug.com/list]: https://crbug.com/?q=component:OS>Systems>Minijail 51 [crbug.com/new]: https://bugs.chromium.org/p/chromium/issues/entry?components=OS>Systems>Minijail 52 [AOSP Gerrit]: https://android-review.googlesource.com/q/project:platform/external/minijail 53 54 ## Talks and presentations 55 56 The following talk serves as a good introduction to Minijail and how it can be used. 57 58 [Video](https://drive.google.com/file/d/0BwPS_JpKyELWZTFBcTVsa1hhYjA/preview), 59 [slides](https://docs.google.com/presentation/d/1r6LpvDZtYrsl7ryOV4HtpUR-phfCLRL6PA-chcL1Kno/present). 60 61 ## Example usage 62 63 The Chromium OS project has a comprehensive 64 [sandboxing](https://chromium.googlesource.com/chromiumos/docs/+/master/sandboxing.md) 65 document that is largely based on Minijail. 66 67 After you play with the simple examples below, you should check that out. 68 69 ### Change root to any user 70 71 ``` 72 # id 73 uid=0(root) gid=0(root) groups=0(root),128(pkcs11) 74 # minijail0 -u jorgelo -g 5000 /usr/bin/id 75 uid=72178(jorgelo) gid=5000(eng) groups=5000(eng) 76 ``` 77 78 ### Drop root while keeping some capabilities 79 80 ``` 81 # minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status 82 Name: cat 83 ... 84 CapInh: 0000000000003000 85 CapPrm: 0000000000003000 86 CapEff: 0000000000003000 87 CapBnd: 0000000000003000 88 ``` 89
