minijail

sandboxing and containment tool used in ChromeOS and Android

View on GitHub

minijail0(1): sandbox a process

Synopsis

minijail0 [OPTION]… <PROGRAM> [args]…

Description

Runs PROGRAM inside a sandbox.

Sandboxing Profiles

The following sandboxing profiles are supported:

Implementation

This program is broken up into two parts: minijail0 (the frontend) and a helper library called libminijailpreload. Some jailings can only be achieved from the process to which they will actually apply:

To this end, libminijailpreload is forcibly loaded into all dynamically-linked target programs by default; we pass the specific restrictions in an environment variable which the preloaded library looks for. The forcibly-loaded library then applies the restrictions to the newly-loaded program.

This behavior can be disabled by the use of the -T static flag. There are other cases in which the use of this flag might be useful:

Author

The ChromiumOS Authors <chromiumos-dev@chromium.org>

Copyright © 2011 The ChromiumOS Authors License BSD-like.

See Also

libminijail.h, minijail0(5), seccomp(2)