OpenGrok

minijail0 - sandbox a process

Runs PROGRAM inside a sandbox. See minijail(1) for details.

Safely switch from root to nobody while dropping all capabilities and inheriting any groups from nobody: # minijail0 -c 0 -G -u nobody /usr/bin/whoami nobody Run in a PID and VFS namespace without superuser capabilities (but still as root) and with a private view of /proc: # minijail0 -p -v -r -c 0 /bin/ps PID TTY TIME CMD 1 pts/0 00:00:00 minijail0 2 pts/0 00:00:00 ps Running a process with a seccomp filter policy at reduced privileges: # minijail0 -S /usr/share/minijail0/$(uname -m)/cat.policy -- \\ /bin/cat /proc/self/seccomp_filter ... The policy file supplied to the -S argument supports the following syntax: <syscall_name>:<ftrace filter policy> <syscall_number>:<ftrace filter policy> <empty line> # any single line comment A policy that emulates seccomp(2) in mode 1 may look like: read: 1 write: 1 sig_return: 1 exit: 1 The "1" acts as a wildcard and allows any use of the mentioned system call. More advanced filtering is possible if your kernel supports CONFIG_FTRACE_SYSCALLS. For example, we can allow a process to open any file read only and mmap PROT_READ only: # open with O_LARGEFILE|O_RDONLY|O_NONBLOCK or some combination open: flags == 32768 || flags == 0 || flags == 34816 || flags == 2048 mmap2: prot == 0x0 munmap: 1 close: 1 The supported arguments may be found by reviewing the system call prototypes in the Linux kernel source code. Be aware that any non-numeric comparison may be subject to time-of-check-time-of-use attacks and cannot be considered safe. execve may only be used when invoking with CAP_SYS_ADMIN privileges. Determining policy for seccomp_filter can be time consuming. System calls are often named in arch-specific, or legacy tainted, ways. E.g., geteuid versus geteuid32. On process death due to a seccomp filter rule, the offending system call number will be supplied with a best guess of the ABI defined name. This information may be used to produce working baseline policies. However, if the process being contained has a fairly tight working domain, using strace -e raw=all <program> can generate the list of system calls that are needed. Note that when using libminijail or minijail with preloading, supporting initial process setup calls will not be required. Be conservative. It's also possible to analyze the binary checking for all non-dead functions and determining if any of them issue system calls. There is no active implementation for this, but something like code.google.com/p/seccompsandbox is one possible runtime variant. The Chromium OS Authors <chromiumos-dev (at] chromium.org> Copyright \(co 2011 The Chromium OS Authors License BSD-like. minijail(1)