tag | 7e34f5600f65d5d2e8b467851c346d2ca69f5c0b | |
---|---|---|
tagger | Jorge Lucangeli Obes <jorgelo@google.com> | Mon Jul 01 17:47:18 2019 |
object | 64cf3cbb6e8c3d656304944c8c8f327b6ec71aaa |
Minijail v10. New in this release: *New standalone seccomp compiler (lhchavez@google.com). *Add support for SECCOMP_RET_LOG (jorgelo@google.com). *Allow passing a cap_from_text(3)-compliant string to -c (lhchavez@google.com). *Add support for <, <=, >, >= to runtime seccomp compiler (lhchavez@google.com). *Introduce the ~ unary operator and parenthesized constants (lhchavez@google.com). *Allow passing a new environment to the child (jorgelo@google.com).
commit | 64cf3cbb6e8c3d656304944c8c8f327b6ec71aaa | [log] [tgz] |
---|---|---|
author | Kevin Hamacher <hamacher@google.com> | Wed Jun 05 15:28:46 2019 |
committer | Treehugger Robot <treehugger-gerrit@google.com> | Thu Jun 27 15:59:38 2019 |
tree | 9082102cfc758d52ec4c9187dbc95f2228997401 | |
parent | e4c6965990d8ad42a452d5013f77628b613ad0b2 [diff] |
Fix RO-remount logic for bindmounts Using pivot-roots with bindmounts causes the kernel to keep some mountflags of the source directory (nosuid, noexec, nodev) that have to be specified during the RO-remount, otherwise the mount will fail with EPERM. This was already previously covered by obtaining the source mount flags in `setup_mount_destination`. This function failed to provide those flags if the estination folder is already existing (mounting destination '/'). This commit moves the logic to determine the mountflags of a given mountpoint into a dedicated function and properly handles vfs->mount flag translation. Test: All tests pass Bug: crbug.com/971656 Change-Id: I7468b63e26fd43f45175ac54c952f726ff93a434
The Minijail homepage and main repo is https://android.googlesource.com/platform/external/minijail/.
There might be other copies floating around, but this is the official one!
Minijail is a sandboxing and containment tool used in Chrome OS and Android. It provides an executable that can be used to launch and sandbox other programs, and a library that can be used by code to sandbox itself.
You're one git clone
away from happiness.
$ git clone https://android.googlesource.com/platform/external/minijail $ cd minijail
Releases are tagged as linux-vXX
: https://android.googlesource.com/platform/external/minijail/+refs
See the HACKING.md document for more details.
See the RELEASE.md document for more details.
We've got a couple of contact points.
The following talk serves as a good introduction to Minijail and how it can be used.
The Chromium OS project has a comprehensive sandboxing document that is largely based on Minijail.
After you play with the simple examples below, you should check that out.
# id uid=0(root) gid=0(root) groups=0(root),128(pkcs11) # minijail0 -u jorgelo -g 5000 /usr/bin/id uid=72178(jorgelo) gid=5000(eng) groups=5000(eng)
# minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status Name: cat ... CapInh: 0000000000003000 CapPrm: 0000000000003000 CapEff: 0000000000003000 CapBnd: 0000000000003000