179 lines
6.7 KiB
Groff
179 lines
6.7 KiB
Groff
.TH MINIJAIL0 "1" "March 2016" "Chromium OS" "User Commands"
|
|
.SH NAME
|
|
minijail0 \- sandbox a process
|
|
.SH SYNOPSIS
|
|
.B minijail0
|
|
[\fIOPTION\fR]... <\fIPROGRAM\fR> [\fIargs\fR]...
|
|
.SH DESCRIPTION
|
|
.PP
|
|
Runs PROGRAM inside a sandbox.
|
|
.TP
|
|
\fB-a <table>\fR
|
|
Run using the alternate syscall table named \fItable\fR. Only available on kernels
|
|
and architectures that support the \fBPR_ALT_SYSCALL\fR option of \fBprctl\fR(2).
|
|
.TP
|
|
\fB-b <src>,<dest>[,<writeable>]
|
|
Bind-mount \fIsrc\fR into the chroot directory at \fIdest\fR, optionally writeable.
|
|
.TP
|
|
\fB-c <caps>\fR
|
|
Restrict capabilities to \fIcaps\fR. When used in conjunction with \fB-u\fR and
|
|
\fB-g\fR, this allows a program to have access to only certain parts of root's
|
|
default privileges while running as another user and group ID altogether. Note
|
|
that these capabilities are not inherited by subprocesses of the process given
|
|
capabilities unless those subprocesses have POSIX file capabilities. See
|
|
\fBcapabilities\fR(7).
|
|
.TP
|
|
\fB-C <dir>\fR
|
|
Change root (using \fBchroot\fR(2)) to \fIdir\fR.
|
|
.TP
|
|
\fB-e[file]\fR
|
|
Enter a new network namespace, or if \fIfile\fR is specified, enter an existing
|
|
network namespace specified by \fIfile\fR which is typically of the form
|
|
/proc/<pid>/ns/net.
|
|
.TP
|
|
\fB-f <file>\fR
|
|
Write the pid of the jailed process to \fIfile\fR.
|
|
.TP
|
|
\fB-g <group>\fR
|
|
Change groups to \fIgroup\fR, which may be either a group name or a numeric
|
|
group ID.
|
|
.TP
|
|
\fB-G\fR
|
|
Inherit all the supplementary groups of the user specified with \fB-u\fR. It
|
|
is an error to use this option without having specified a \fBuser name\fR to
|
|
\fB-u\fR.
|
|
.TP
|
|
\fB-h\fR
|
|
Print a help message.
|
|
.TP
|
|
\fB-H\fR
|
|
Print a help message detailing supported system call names for seccomp_filter.
|
|
(Other direct numbers may be specified if minijail0 is not in sync with the
|
|
host kernel or something like 32/64-bit compatibility issues exist.)
|
|
.TP
|
|
\fB-I\fR
|
|
Run \fIprogram\fR as init (pid 1) inside a new pid namespace (implies \fB-p\fR).
|
|
.TP
|
|
\fB-k <src>,<dest>,<type>[,<flags>]\fR
|
|
Mount \fIsrc\fR, a \fItype\fR filesystem, into the chroot directory at \fIdest\fR, with optional \fIflags\fR.
|
|
.TP
|
|
\fB-K\fR
|
|
Don't mark all existing mounts as MS_PRIVATE.
|
|
This option is \fBdangerous\fR as it negates most of the functionality of \fB-v\fR.
|
|
You very likely don't need this.
|
|
.TP
|
|
\fB-l\fR
|
|
Run inside a new IPC namespace. This option makes the program's System V IPC
|
|
namespace independent.
|
|
.TP
|
|
\fB-L\fR
|
|
Report blocked syscalls to syslog when using seccomp filter. This option will
|
|
force certain syscalls to be allowed in order to achieve this, depending on the
|
|
system.
|
|
.TP
|
|
\fB-m[<uid> <loweruid> <count>[,<uid> <loweruid> <count>]]\fR
|
|
Set the uid mapping of a user namespace (implies \fB-pU\fR). Same arguments as
|
|
\fBnewuidmap\fR(1). Multiple mappings should be separated by ','. With no mapping,
|
|
map the current uid to root inside the user namespace.
|
|
.TP
|
|
\fB-M[<uid> <loweruid> <count>[,<uid> <loweruid> <count>]]\fR
|
|
Set the gid mapping of a user namespace (implies \fB-pU\fR). Same arguments as
|
|
\fBnewgidmap\fR(1). Multiple mappings should be separated by ','. With no mapping,
|
|
map the current gid to root inside the user namespace.
|
|
.TP
|
|
\fB-n\fR
|
|
Set the process's \fIno_new_privs\fR bit. See \fBprctl\fR(2) and the kernel
|
|
source file \fIDocumentation/prctl/no_new_privs.txt\fR for more info.
|
|
.TP
|
|
\fB-N\fR
|
|
Run inside a new cgroup namespace. This option runs the program with a cgroup
|
|
view showing the program's cgroup as the root. This is only available on v4.6+
|
|
of the Linux kernel.
|
|
.TP
|
|
\fB-p\fR
|
|
Run inside a new PID namespace. This option will make it impossible for the
|
|
program to see or affect processes that are not its descendants. This implies
|
|
\fB-v\fR and \fB-r\fR, since otherwise the process can see outside its namespace
|
|
by inspecting /proc.
|
|
.TP
|
|
\fB-P <dir>\fR
|
|
Set \fIdir\fR as the root fs using \fBpivot_root\fR. Implies \fB-v\fR, not
|
|
compatible with \fB-C\fR.
|
|
.TP
|
|
\fB-r\fR
|
|
Remount /proc readonly. This implies \fB-v\fR. Remounting /proc readonly means
|
|
that even if the process has write access to a system config knob in /proc
|
|
(e.g., in /sys/kernel), it cannot change the value.
|
|
.TP
|
|
\fB-R <rlim_type, rlim_cur, rlim_max>\fR
|
|
Set an rlimit value, see \fBgetrlimit\fR(2) for allowed values.
|
|
.TP
|
|
\fB-s\fR
|
|
Enable \fBseccomp\fR(2) in mode 1, which restricts the child process to a very
|
|
small set of system calls.
|
|
You most likely do not want to use this with the seccomp filter mode (\fB-S\fR)
|
|
as they are completely different (even though they have similar names).
|
|
.TP
|
|
\fB-S <arch-specific seccomp_filter policy file>\fR
|
|
Enable \fBseccomp\fR(2) in mode 13 which restricts the child process to a set of
|
|
system calls defined in the policy file. Note that system calls often change
|
|
names based on the architecture or mode. (uname -m is your friend.)
|
|
.TP
|
|
\fB-t[size]\fR
|
|
Mounts a tmpfs filesystem on /tmp. /tmp must exist already (e.g. in the chroot).
|
|
The filesystem has a default size of "64M", overridden with an optional
|
|
argument. It has standard /tmp permissions (1777), and is mounted
|
|
nodev/noexec/nosuid. Implies \fB-v\fR.
|
|
.TP
|
|
\fB-T <type>\fR
|
|
Assume program's ELF linkage type is \fItype\fR,
|
|
which should be either 'static' or 'dynamic'.
|
|
.TP
|
|
\fB-u <user>\fR
|
|
Change users to \fIuser\fR, which may be either a user name or a numeric user
|
|
ID.
|
|
.TP
|
|
\fB-U\fR
|
|
Enter a new user namespace (implies \fB-p\fR).
|
|
.TP
|
|
\fB-v\fR
|
|
Run inside a new VFS namespace. This option makes the program's mountpoints
|
|
independent of the rest of the system's.
|
|
.TP
|
|
\fB-V <file>\fR
|
|
Enter the VFS namespace specified by \fIfile\fR.
|
|
.TP
|
|
\fB-w\fR
|
|
Create and join a new anonymous session keyring. See \fBkeyrings\fR(7) for more
|
|
details.
|
|
.TP
|
|
\fB-y\fR
|
|
Keep the current user's supplementary groups.
|
|
.TP
|
|
\fB-Y\fR
|
|
Synchronize seccomp filters across thread group.
|
|
.TP
|
|
\fB--uts[=hostname]\fR
|
|
Create a new UTS/hostname namespace, and optionally set the hostname in the new
|
|
namespace to \fIhostname\fR.
|
|
.SH IMPLEMENTATION
|
|
This program is broken up into two parts: \fBminijail0\fR (the frontend) and a helper
|
|
library called \fBlibminijailpreload\fR. Some jailings can only be achieved from
|
|
the process to which they will actually apply - specifically capability use
|
|
(since capabilities are not inherited to an exec'd process unless the exec'd
|
|
process has POSIX file capabilities), seccomp (since we can't exec() once we're
|
|
seccomp'd), and ptrace-disable (which is always cleared on exec()).
|
|
|
|
To this end, \fBlibminijailpreload\fR is forcibly loaded into all
|
|
dynamically-linked target programs if any of these restrictions are in effect;
|
|
we pass the specific restrictions in an environment variable which the preloaded
|
|
library looks for. The forcibly-loaded library then applies the restrictions
|
|
to the newly-loaded program.
|
|
|
|
.SH AUTHOR
|
|
The Chromium OS Authors <chromiumos-dev@chromium.org>
|
|
.SH COPYRIGHT
|
|
Copyright \(co 2011 The Chromium OS Authors
|
|
License BSD-like.
|
|
.SH "SEE ALSO"
|
|
\fBlibminijail.h\fR \fBminijail0\fR(5)
|