| Elly Jones | cd7a904 | 2011-07-22 13:56:51 -0400 | [diff] [blame^] | 1 | .TH MINIJAIL0 "1" "July 2011" "Chromium OS" "User Commands" |
| 2 | .SH NAME |
| 3 | minijail0 \- sandbox a process |
| 4 | .SH SYNOPSIS |
| 5 | .B minijail0 |
| 6 | [\fIOPTION\fR]... <\fIprogram\fR> [\fIargs\fR]... |
| 7 | .SH DESCRIPTION |
| 8 | .PP |
| 9 | Runs PROGRAM inside a sandbox. |
| 10 | .TP |
| 11 | \fB-c <caps>\fR |
| 12 | Restrict capabilities to \fIcaps\fR. When used in conjunction with \fB-u\fR and |
| 13 | \fB-g\fR, this allows a program to have access to only certain parts of root's |
| 14 | default privileges while running as another user and group ID altogether. Note |
| 15 | that these capabilities are not inherited by subprocesses of the process given |
| 16 | capabilities unless those subprocesses have POSIX file capabilities. See |
| 17 | \fBcapabilities\fR(7). |
| 18 | .TP |
| 19 | \fB-G\fR |
| 20 | Inherit all the supplementary groups of the user specified with \fB-u\fR. It |
| 21 | is an error to use this option without having specified a \fBuser name\fR to |
| 22 | \fB-u\fR. |
| 23 | .TP |
| 24 | \fB-g <group>\fR |
| 25 | Change groups to \fIgroup\fR, which may be either a group name or a numeric |
| 26 | group ID. |
| 27 | .TP |
| 28 | \fB-h\fR |
| 29 | Print a help message. |
| 30 | .TP |
| 31 | \fB-p\fR |
| 32 | Run inside a new PID namespace. This option will make it impossible for the |
| 33 | program to see or affect processes that are not its descendants. |
| 34 | .TP |
| 35 | \fB-r\fR |
| 36 | Remount certain filesystems readonly. Currently this only remounts /proc. This |
| 37 | implies \fB-v\fR. Remounting /proc readonly means that even if the process has |
| 38 | write access to a system config knob in /proc (e.g., in /sys/kernel), it cannot |
| 39 | change the value. |
| 40 | .TP |
| 41 | \fB-s\fR |
| 42 | Enable seccomp(2) in mode 1, which restricts the child process to a very small |
| 43 | set of system calls. Support for more elaborate syscall filtering is coming. |
| 44 | .TP |
| 45 | \fB-u <user>\fR |
| 46 | Change users to \fIuser\fR, which may be either a user name or a numeric user |
| 47 | ID. |
| 48 | .TP |
| 49 | \fB-v\fR |
| 50 | Run inside a new VFS namespace. This option makes the program's mountpoints |
| 51 | independent of the rest of the system's. |
| 52 | .SH IMPLEMENTATION |
| 53 | This program is broken up into two parts: \fBminijail0\fR (the frontend) and a helper |
| 54 | library called \fBlibminijailpreload\fR. Some jailings can only be achieved from |
| 55 | the process to which they will actually apply - specifically capability use |
| 56 | (since capabilities are not inherited to an exec'd process unless the exec'd |
| 57 | process has POSIX file capabilities), seccomp (since we can't exec() once we're |
| 58 | seccomp'd), and ptrace-disable (which is always cleared on exec(). |
| 59 | |
| 60 | To this end, \fBlibminijailpreload\fR is forcibly loaded into all |
| 61 | dynamically-linked target programs if any of these restrictions are in effect; |
| 62 | we pass the specific restrictions in an environment variable which the preloaded |
| 63 | library looks for. The forcibly-loaded library then applies the restrictions |
| 64 | to the newly-loaded program. |
| 65 | .SH AUTHOR |
| 66 | Written by Elly Jones (ellyjones@chromium.org) |
| 67 | .SH COPYRIGHT |
| 68 | Copyright \(co 2011 The Chromium OS Authors |
| 69 | License BSD-like. |
| 70 | .SH "SEE ALSO" |
| 71 | \fBlibminijail.h\fR |