minijail

sandboxing and containment tool used in ChromeOS and Android

View on GitHub

About

Minijail is a sandboxing and containment tool used in ChromeOS and Android. It provides an executable that can be used to launch and sandbox other programs, and a library that can be used by code to sandbox itself.

Sites

The Minijail homepage:
https://google.github.io/minijail/

The main repo:
https://chromium.googlesource.com/chromiumos/platform/minijail/

With a read-only mirror for people to fork:
https://github.com/google/minijail/

There might be other copies floating around, but those are the official ones!

Getting the code

Releases

Releases are tagged as linux-vXX:
https://github.com/google/minijail/releases

Latest Development

You’re one git clone away from happiness.

$ git clone https://chromium.googlesource.com/chromiumos/platform/minijail
$ cd minijail

Documentation

Check out the minijail0(1) and minijail0(5) online man pages for more details about using Minijail.

See the tools/README.md document for info about extra tools we provide to help with development.

The following talk serves as a good introduction to Minijail and how it can be used. video slides

The ChromiumOS project has a comprehensive sandboxing guide that is largely based on Minijail.

Building

Just run make and you’re good to go!

If that doesn’t work out, please see the HACKING.md document for more details.

Examples

Here’s a few simple examples. Check out the docs above for way more in-depth use.

Change root to any user

# id
uid=0(root) gid=0(root) groups=0(root),128(pkcs11)
# minijail0 -u jorgelo -g 5000 /usr/bin/id
uid=72178(jorgelo) gid=5000(eng) groups=5000(eng)

Drop root while keeping some capabilities

# minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status
Name: cat
...
CapInh: 0000000000003000
CapPrm: 0000000000003000
CapEff: 0000000000003000
CapBnd: 0000000000003000

Contact

We’ve got a couple of contact points.