85 lines
3 KiB
Groff
85 lines
3 KiB
Groff
.TH MINIJAIL0 "1" "July 2011" "Chromium OS" "User Commands"
|
|
.SH NAME
|
|
minijail0 \- sandbox a process
|
|
.SH DESCRIPTION
|
|
.PP
|
|
Runs PROGRAM inside a sandbox. See \fBminijail\fR(1) for details.
|
|
.SH EXAMPLES
|
|
|
|
Safely switch from root to nobody while dropping all capabilities and
|
|
inheriting any groups from nobody:
|
|
|
|
# minijail0 -c 0 -G -u nobody /usr/bin/whoami
|
|
nobody
|
|
|
|
Run in a PID and VFS namespace without superuser capabilities (but still
|
|
as root) and with a private view of /proc:
|
|
|
|
# minijail0 -p -v -r -c 0 /bin/ps
|
|
PID TTY TIME CMD
|
|
1 pts/0 00:00:00 minijail0
|
|
2 pts/0 00:00:00 ps
|
|
|
|
Running a process with a seccomp filter policy at reduced privileges:
|
|
|
|
# minijail0 -S /usr/share/minijail0/$(uname -m)/cat.policy -- \\
|
|
/bin/cat /proc/self/seccomp_filter
|
|
...
|
|
|
|
.SH SECCOMP_FILTER POLICY
|
|
The policy file supplied to the \fB-S\fR argument supports the following syntax:
|
|
|
|
\fB<syscall_name>\fR:\fB<ftrace filter policy>\fR
|
|
\fB<syscall_number>\fR:\fB<ftrace filter policy>\fR
|
|
\fB<empty line>\fR
|
|
\fB# any single line comment\fR
|
|
|
|
A policy that emulates \fBseccomp\fR(2) in mode 1 may look like:
|
|
read: 1
|
|
write: 1
|
|
sig_return: 1
|
|
exit: 1
|
|
|
|
The "1" acts as a wildcard and allows any use of the mentioned system
|
|
call. More advanced filtering is possible if your kernel supports
|
|
CONFIG_FTRACE_SYSCALLS. For example, we can allow a process to open any
|
|
file read only and mmap PROT_READ only:
|
|
|
|
# open with O_LARGEFILE|O_RDONLY|O_NONBLOCK or some combination
|
|
open: flags == 32768 || flags == 0 || flags == 34816 || flags == 2048
|
|
mmap2: prot == 0x0
|
|
munmap: 1
|
|
close: 1
|
|
|
|
The supported arguments may be found by reviewing the system call
|
|
prototypes in the Linux kernel source code. Be aware that any
|
|
non-numeric comparison may be subject to time-of-check-time-of-use
|
|
attacks and cannot be considered safe.
|
|
|
|
\fBexecve\fR may only be used when invoking with CAP_SYS_ADMIN privileges.
|
|
|
|
.SH SECCOMP_FILTER POLICY WRITING
|
|
|
|
Determining policy for seccomp_filter can be time consuming. System
|
|
calls are often named in arch-specific, or legacy tainted, ways. E.g.,
|
|
geteuid versus geteuid32. On process death due to a seccomp filter
|
|
rule, the offending system call number will be supplied with a best
|
|
guess of the ABI defined name. This information may be used to produce
|
|
working baseline policies. However, if the process being contained has
|
|
a fairly tight working domain, using \fBstrace -e raw=all <program>\fR
|
|
can generate the list of system calls that are needed. Note that when
|
|
using libminijail or minijail with preloading, supporting initial
|
|
process setup calls will not be required. Be conservative.
|
|
|
|
It's also possible to analyze the binary checking for all non-dead
|
|
functions and determining if any of them issue system calls. There is
|
|
no active implementation for this, but something like
|
|
code.google.com/p/seccompsandbox is one possible runtime variant.
|
|
|
|
.SH AUTHOR
|
|
The Chromium OS Authors <chromiumos-dev@chromium.org>
|
|
.SH COPYRIGHT
|
|
Copyright \(co 2011 The Chromium OS Authors
|
|
License BSD-like.
|
|
.SH "SEE ALSO"
|
|
\fBminijail\fR(1)
|