code-intelligence.com/cifuzz@v0.40.0/third-party/minijail/minijail0.1 (about) 1 .TH MINIJAIL0 "1" "March 2016" "Chromium OS" "User Commands" 2 .SH NAME 3 minijail0 \- sandbox a process 4 .SH SYNOPSIS 5 .B minijail0 6 [\fIOPTION\fR]... <\fIPROGRAM\fR> [\fIargs\fR]... 7 .SH DESCRIPTION 8 .PP 9 Runs PROGRAM inside a sandbox. 10 .TP 11 \fB-a <table>\fR 12 Run using the alternate syscall table named \fItable\fR. Only available on kernels 13 and architectures that support the \fBPR_ALT_SYSCALL\fR option of \fBprctl\fR(2). 14 .TP 15 \fB-b <src>[,[dest][,<writeable>]] 16 Bind-mount \fIsrc\fR into the chroot directory at \fIdest\fR, optionally writeable. 17 The \fIsrc\fR path must be an absolute path. 18 19 If \fIdest\fR is not specified, it will default to \fIsrc\fR. 20 If the destination does not exist, it will be created as a file or directory 21 based on the \fIsrc\fR type (including missing parent directories). 22 23 To create a writable bind-mount set \fIwritable\fR to \fB1\fR. If not specified 24 it will default to \fB0\fR (read-only). 25 .TP 26 \fB-B <mask>\fR 27 Skip setting securebits in \fImask\fR when restricting capabilities (\fB-c\fR). 28 \fImask\fR is a hex constant that represents the mask of securebits that will 29 be preserved. See \fBcapabilities\fR(7) for the complete list. By default, 30 \fBSECURE_NOROOT\fR, \fBSECURE_NO_SETUID_FIXUP\fR, and \fBSECURE_KEEP_CAPS\fR 31 (together with their respective locks) are set. 32 \fBSECBIT_NO_CAP_AMBIENT_RAISE\fR (and its respective lock) is never set 33 because the permitted and inheritable capability sets have already been set 34 through \fB-c\fR. 35 .TP 36 \fB-c <caps>\fR 37 Restrict capabilities to \fIcaps\fR, which is either a hex constant or a string 38 that will be passed to \fBcap_from_text\fR(3) (only the effective capability 39 mask will be considered). The value will be used as the permitted, effective, 40 and inheritable sets. When used in conjunction with \fB-u\fR and \fB-g\fR, 41 this allows a program to have access to only certain parts of root's default 42 privileges while running as another user and group ID altogether. Note that 43 these capabilities are not inherited by subprocesses of the process given 44 capabilities unless those subprocesses have POSIX file capabilities or the 45 \fB--ambient\fR flag is also passed. See \fBcapabilities\fR(7). 46 .TP 47 \fB-C <dir>\fR 48 Change root (using \fBchroot\fR(2)) to \fIdir\fR. 49 .TP 50 \fB-d\fR, \fB--mount-dev\fR 51 Create a new /dev mount with a minimal set of nodes. Implies \fB-v\fR. 52 Additional nodes can be bound with the \fB-b\fR or \fB-k\fR options. 53 54 .nf 55 \[bu] The initial set of nodes are: full null tty urandom zero. 56 \[bu] Symlinks are also created for: fd ptmx stderr stdin stdout. 57 \[bu] Directores are also created for: shm. 58 .re 59 .TP 60 \fB-e[file]\fR 61 Enter a new network namespace, or if \fIfile\fR is specified, enter an existing 62 network namespace specified by \fIfile\fR which is typically of the form 63 /proc/<pid>/ns/net. 64 .TP 65 \fB-f <file>\fR 66 Write the pid of the jailed process to \fIfile\fR. 67 .TP 68 \fB-g <group|gid> 69 Change groups to the specified \fIgroup\fR name, or numeric group ID \fIgid\fR. 70 .TP 71 \fB-G\fR 72 Inherit all the supplementary groups of the user specified with \fB-u\fR. It 73 is an error to use this option without having specified a \fBuser name\fR to 74 \fB-u\fR. 75 .TP 76 \fB--add-suppl-group <group|gid>\fR 77 Add the specified \fIgroup\fR name, or numeric group ID \fIgid\fR, 78 to the process' supplementary groups list. Can be specified 79 multiple times to add several groups. Incompatible with -y and -G. 80 .TP 81 \fB-h\fR 82 Print a help message. 83 .TP 84 \fB-H\fR 85 Print a help message detailing supported system call names for seccomp_filter. 86 (Other direct numbers may be specified if minijail0 is not in sync with the 87 host kernel or something like 32/64-bit compatibility issues exist.) 88 .TP 89 \fB-i\fR 90 Exit immediately after \fBfork\fR(2). The jailed process will keep running in 91 the background. 92 93 Normally minijail will fork+exec the specified \fIprogram\fR so that it can set 94 up the right security settings in the new child process. The initial minijail 95 process will stay resident and wait for the \fIprogram\fR to exit so the script 96 that ran minijail will correctly block (e.g. standalone scripts). Specifying 97 \fB-i\fR makes that initial process exit immediately and free up the resources. 98 99 This option is recommended for daemons and init services when you want to 100 background the long running \fIprogram\fR. 101 .TP 102 \fB-I\fR 103 Run \fIprogram\fR as init (pid 1) inside a new pid namespace (implies \fB-p\fR). 104 105 Most programs don't expect to run as an init which is why minijail will do it 106 for you by default. Basically, the \fIprogram\fR needs to reap any processes it 107 forks to avoid leaving zombies behind. Signal handling needs care since the 108 kernel will mask all signals that don't have handlers registered (all default 109 handlers are ignored and cannot be changed). 110 111 This means a minijail process (acting as init) will remain resident by default. 112 While using \fB-I\fR is recommended when possible, strict review is required to 113 make sure the \fIprogram\fR continues to work as expected. 114 115 \fB-i\fR and \fB-I\fR may be safely used together. The \fB-i\fR option controls 116 the first minijail process outside of the pid namespace while the \fB-I\fR 117 option controls the minijail process inside of the pid namespace. 118 .TP 119 \fB-k <src>,<dest>,<type>[,<flags>[,<data>]]\fR 120 Mount \fIsrc\fR, a \fItype\fR filesystem, at \fIdest\fR. If a chroot or pivot 121 root is active, \fIdest\fR will automatically be placed below that path. 122 123 The \fIflags\fR field is optional and may be a mix of \fIMS_XXX\fR or hex 124 constants separated by \fI|\fR characters. See \fBmount\fR(2) for details. 125 \fIMS_NODEV|MS_NOSUID|MS_NOEXEC\fR is the default value (a writable mount 126 with nodev/nosuid/noexec bits set), and it is strongly recommended that all 127 mounts have these three bits set whenever possible. If you need to disable 128 all three, then specify something like \fIMS_SILENT\fR. 129 130 The \fIdata\fR field is optional and is a comma delimited string (see 131 \fBmount\fR(2) for details). It is passed directly to the kernel, so all 132 fields here are filesystem specific. For \fItmpfs\fR, if no data is specified, 133 we will default to \fImode=0755,size=10M\fR. If you want other settings, you 134 will need to specify them explicitly yourself. 135 136 If the mount is not a pseudo filesystem (e.g. proc or sysfs), \fIsrc\fR path 137 must be an absolute path (e.g. \fI/dev/sda1\fR and not \fIsda1\fR). 138 139 If the destination does not exist, it will be created as a directory (including 140 missing parent directories). 141 .TP 142 \fB-K[mode]\fR 143 Don't mark all existing mounts as MS_SLAVE. 144 This option is \fBdangerous\fR as it negates most of the functionality of \fB-v\fR. 145 You very likely don't need this. 146 147 You may specify a mount propagation mode in which case, that will be used 148 instead of the default MS_SLAVE. See the \fBmount\fR(2) man page and the 149 kernel docs \fIDocumentation/filesystems/sharedsubtree.txt\fR for more 150 technical details, but a brief guide: 151 152 .IP 153 \[bu] \fBslave\fR Changes in the parent mount namespace will propagate in, but 154 changes in this mount namespace will not propagate back out. This is usually 155 what people want to use, and is the default behavior if you don't specify \fB-K\fR. 156 .IP 157 \[bu] \fBprivate\fR No changes in either mount namespace will propagate. 158 This provides the most isolation. 159 .IP 160 \[bu] \fBshared\fR Changes in the parent and this mount namespace will freely 161 propagate back and forth. This is not recommended. 162 .IP 163 \[bu] \fBunbindable\fR Mark all mounts as unbindable. 164 .TP 165 \fB-l\fR 166 Run inside a new IPC namespace. This option makes the program's System V IPC 167 namespace independent. 168 .TP 169 \fB-L\fR 170 Report blocked syscalls when using a seccomp filter. On kernels with support for 171 SECCOMP_RET_LOG, every blocked syscall will be reported through the audit 172 subsystem (see \fBseccomp\fR(2) for more details on SECCOMP_RET_LOG 173 availability.) On all other kernels, the first failing syscall will be logged to 174 syslog. This latter case will also force certain syscalls to be allowed in order 175 to write to syslog. Note: this option is disabled and ignored for release 176 builds. 177 .TP 178 \fB-m[<uid> <loweruid> <count>[,<uid> <loweruid> <count>]]\fR 179 Set the uid mapping of a user namespace (implies \fB-pU\fR). Same arguments as 180 \fBnewuidmap\fR(1). Multiple mappings should be separated by ','. With no mapping, 181 map the current uid to root inside the user namespace. 182 .TP 183 \fB-M[<uid> <loweruid> <count>[,<uid> <loweruid> <count>]]\fR 184 Set the gid mapping of a user namespace (implies \fB-pU\fR). Same arguments as 185 \fBnewgidmap\fR(1). Multiple mappings should be separated by ','. With no mapping, 186 map the current gid to root inside the user namespace. 187 .TP 188 \fB-n\fR 189 Set the process's \fIno_new_privs\fR bit. See \fBprctl\fR(2) and the kernel 190 source file \fIDocumentation/prctl/no_new_privs.txt\fR for more info. 191 .TP 192 \fB-N\fR 193 Run inside a new cgroup namespace. This option runs the program with a cgroup 194 view showing the program's cgroup as the root. This is only available on v4.6+ 195 of the Linux kernel. 196 .TP 197 \fB-p\fR 198 Run inside a new PID namespace. This option will make it impossible for the 199 program to see or affect processes that are not its descendants. This implies 200 \fB-v\fR and \fB-r\fR, since otherwise the process can see outside its namespace 201 by inspecting /proc. 202 203 If the \fIprogram\fR exits, all of its children will be killed immediately by 204 the kernel. If you need to daemonize or background things, use the \fB-i\fR 205 option. 206 207 See \fBpid_namespaces\fR(7) for more info. 208 .TP 209 \fB-P <dir>\fR 210 Set \fIdir\fR as the root fs using \fBpivot_root\fR. Implies \fB-v\fR, not 211 compatible with \fB-C\fR. 212 .TP 213 \fB-r\fR 214 Remount /proc readonly. This implies \fB-v\fR. Remounting /proc readonly means 215 that even if the process has write access to a system config knob in /proc 216 (e.g., in /sys/kernel), it cannot change the value. 217 .TP 218 \fB-R <rlim_type>,<rlim_cur>,<rlim_max>\fR 219 Set an rlimit value, see \fBgetrlimit\fR(2) for more details. 220 221 \fIrlim_type\fR may be specified using symbolic constants like \fIRLIMIT_AS\fR. 222 223 \fIrlim_cur\fR and \fIrlim_max\fR are specified either with a number (decimal or 224 hex starting with \fI0x\fR), or with the string \fIunlimited\fR (which will 225 translate to \fIRLIM_INFINITY\fR). 226 .TP 227 \fB-s\fR 228 Enable \fBseccomp\fR(2) in mode 1, which restricts the child process to a very 229 small set of system calls. 230 You most likely do not want to use this with the seccomp filter mode (\fB-S\fR) 231 as they are completely different (even though they have similar names). 232 .TP 233 \fB-S <arch-specific seccomp_filter policy file>\fR 234 Enable \fBseccomp\fR(2) in mode 13 which restricts the child process to a set of 235 system calls defined in the policy file. Note that system call names may be 236 different based on the runtime environment; see \fBminijail0\fR(5) for more 237 details. 238 .TP 239 \fB-t[size]\fR 240 Mounts a tmpfs filesystem on /tmp. /tmp must exist already (e.g. in the chroot). 241 The filesystem has a default size of "64M", overridden with an optional 242 argument. It has standard /tmp permissions (1777), and is mounted 243 nodev/noexec/nosuid. Implies \fB-v\fR. 244 .TP 245 \fB-T <type>\fR 246 Assume binary's ELF linkage type is \fItype\fR, which must be either 'static' 247 or 'dynamic'. Either setting will prevent minijail0 from manually parsing the 248 ELF header to determine the type. Type 'static' can be used to avoid preload 249 hooking, and will force minijail0 to instead set everything up before the 250 program is executed. Type 'dynamic' will force minijail0 to preload 251 \fIlibminijailpreload.so\fR to setup hooks, but will fail on actually 252 statically-linked binaries. 253 .TP 254 \fB-u <user|uid>\fR 255 Change users to the specified \fIuser\fR name, or numeric user ID \fIuid\fR. 256 .TP 257 \fB-U\fR 258 Enter a new user namespace (implies \fB-p\fR). 259 .TP 260 \fB-v\fR 261 Run inside a new VFS namespace. This option prevents mounts performed by the 262 program from affecting the rest of the system (but see \fB-K\fR). 263 .TP 264 \fB-V <file>\fR 265 Enter the VFS namespace specified by \fIfile\fR. 266 .TP 267 \fB-w\fR 268 Create and join a new anonymous session keyring. See \fBkeyrings\fR(7) for more 269 details. 270 .TP 271 \fB-y\fR 272 Keep the current user's supplementary groups. 273 .TP 274 \fB-Y\fR 275 Synchronize seccomp filters across thread group. 276 .TP 277 \fB-z\fR 278 Don't forward any signals to the jailed process. For example, when not using 279 \fB-i\fR, sending \fBSIGINT\fR (e.g., CTRL-C on the terminal), will kill the 280 minijail0 process, not the jailed process. 281 .TP 282 \fB--ambient\fR 283 Raise ambient capabilities to match the mask specified by \fB-c\fR. Since 284 ambient capabilities are preserved across \fBexecve\fR(2), this allows for 285 process trees to have a restricted set of capabilities, even if they are 286 capability-dumb binaries. See \fBcapabilities\fR(7). 287 .TP 288 \fB--uts[=hostname]\fR 289 Create a new UTS/hostname namespace, and optionally set the hostname in the new 290 namespace to \fIhostname\fR. 291 .TP 292 \fB--logging=<system>\fR 293 Use \fIsystem\fR as the logging system. \fIsystem\fR must be one of 294 \fBauto\fR (the default), \fBsyslog\fR, or \fBstderr\fR. 295 296 \fBauto\fR will use \fBstderr\fR if connected to a tty (e.g. run directly by a 297 user), otherwise it will use \fBsyslog\fR. 298 .TP 299 \fB--profile <profile>\fR 300 Choose from one of the available sandboxing profiles, which are simple way to 301 get a standardized environment. See the 302 .BR "SANDBOXING PROFILES" 303 section below for the full list of supported values for \fIprofile\fR. 304 .TP 305 \fB--preload-library <file path>\fR 306 Allows overriding the default path of \fI/lib/libminijailpreload.so\fR. This 307 is only really useful for testing. 308 \fB--seccomp-bpf-binary <arch-specific BPF binary>\fR 309 This is similar to \fB-S\fR, but 310 instead of using a policy file, \fB--secomp-bpf-binary\fR expects a 311 arch-and-kernel-version-specific pre-compiled BPF binary (such as the ones 312 produced by \fBparse_seccomp_policy\fR). Note that the filter might be 313 different based on the runtime environment; see \fBminijail0\fR(5) for more 314 details. 315 .TP 316 \fB--allow-speculative-execution\fR 317 Allow speculative execution features that may cause data leaks across processes. 318 This passes the \fISECCOMP_FILTER_FLAG_SPEC_ALLOW\fR flag to seccomp which 319 disables mitigations against certain speculative execution attacks; namely 320 Branch Target Injection (spectre-v2) and Speculative Store Bypass (spectre-v4). 321 These mitigations incur a runtime performance hit, so it is useful to be able 322 to disable them in order to quantify their performance impact. 323 324 \fBWARNING:\fR It is dangerous to use this option on programs that process 325 untrusted input, which is normally what Minijail is used for. Do not enable 326 this option unless you know what you're doing. 327 328 See the kernel documentation \fIDocumentation/userspace-api/spec_ctrl.rst\fR 329 and \fIDocumentation/admin-guide/hw-vuln/spectre.rst\fR for more information. 330 .SH SANDBOXING PROFILES 331 The following sandboxing profiles are supported: 332 .TP 333 \fBminimalistic-mountns\fR 334 Set up a minimalistic mount namespace. Equivalent to \fB-v -P /var/empty 335 -b / -b /proc -b /dev/log -t -r --mount-dev\fR. 336 .TP 337 \fBminimalistic-mountns-nodev\fR 338 Set up a minimalistic mount namespace with an empty /dev path. Equivalent to 339 \fB-v -P /var/empty -b/ -b/proc -t -r\fR. 340 .SH IMPLEMENTATION 341 This program is broken up into two parts: \fBminijail0\fR (the frontend) and a helper 342 library called \fBlibminijailpreload\fR. Some jailings can only be achieved 343 from the process to which they will actually apply: 344 345 .IP 346 \[bu] capability use (without using ambient capabilities): non-ambient 347 capabilities are not inherited across \fBexecve\fR(2) unless the file being 348 executed has POSIX file capabilities. Ambient capabilities (the 349 \fB--ambient\fR flag) fix capability inheritance across \fBexecve\fR(2) to 350 avoid the need for file capabilities. 351 352 \[bu] seccomp: a meaningful seccomp filter policy should disallow 353 \fBexecve\fR(2), to prevent a compromised process from executing a different 354 binary. However, this would prevent the seccomp policy from being applied 355 before \fBexecve\fR(2). 356 .RE 357 358 To this end, \fBlibminijailpreload\fR is forcibly loaded into all 359 dynamically-linked target programs by default; we pass the specific 360 restrictions in an environment variable which the preloaded library looks for. 361 The forcibly-loaded library then applies the restrictions to the newly-loaded 362 program. 363 364 This behavior can be disabled by the use of the \fB-T static\fR flag. There 365 are other cases in which the use of this flag might be useful: 366 367 .IP 368 \[bu] When \fIprogram\fR is linked against a different version of \fBlibc.so\fR 369 than \fBlibminijailpreload.so\fR. 370 371 \[bu] When \fBexecve\fR(2) has side-effects that interact badly with the 372 jailing process. If the system uses SELinux, \fBexecve\fR(2) can cause an 373 automatic domain transition, which would then require that the target domain 374 allows the operations to jail \fIprogram\fR. 375 .RE 376 377 .SH AUTHOR 378 The Chromium OS Authors <chromiumos-dev@chromium.org> 379 .SH COPYRIGHT 380 Copyright \(co 2011 The Chromium OS Authors 381 License BSD-like. 382 .SH "SEE ALSO" 383 .BR libminijail.h , 384 .BR minijail0 (5), 385 .BR seccomp (2)