aboutsummaryrefslogtreecommitdiff
path: root/minijail0.1
diff options
context:
space:
mode:
Diffstat (limited to 'minijail0.1')
-rw-r--r--minijail0.139
1 files changed, 30 insertions, 9 deletions
diff --git a/minijail0.1 b/minijail0.1
index 820d3ca..7dc6f74 100644
--- a/minijail0.1
+++ b/minijail0.1
@@ -12,12 +12,14 @@ Runs PROGRAM inside a sandbox.
Run using the alternate syscall table named \fItable\fR. Only available on kernels
and architectures that support the \fBPR_ALT_SYSCALL\fR option of \fBprctl\fR(2).
.TP
-\fB-b <src>[,<dest>[,<writeable>]]
+\fB-b <src>[,[dest][,<writeable>]]
Bind-mount \fIsrc\fR into the chroot directory at \fIdest\fR, optionally writeable.
The \fIsrc\fR path must be an absolute path.
+
If \fIdest\fR is not specified, it will default to \fIsrc\fR.
If the destination does not exist, it will be created as a file or directory
based on the \fIsrc\fR type (including missing parent directories).
+
To create a writable bind-mount set \fIwritable\fR to \fB1\fR. If not specified
it will default to \fB0\fR (read-only).
.TP
@@ -48,8 +50,12 @@ Change root (using \fBchroot\fR(2)) to \fIdir\fR.
\fB-d\fR, \fB--mount-dev\fR
Create a new /dev mount with a minimal set of nodes. Implies \fB-v\fR.
Additional nodes can be bound with the \fB-b\fR or \fB-k\fR options.
-The initial set of nodes are: full null tty urandom zero.
-Symlinks are also created for: fd ptmx stderr stdin stdout.
+
+.nf
+\[bu] The initial set of nodes are: full null tty urandom zero.
+\[bu] Symlinks are also created for: fd ptmx stderr stdin stdout.
+\[bu] Directores are also created for: shm.
+.re
.TP
\fB-e[file]\fR
Enter a new network namespace, or if \fIfile\fR is specified, enter an existing
@@ -134,22 +140,22 @@ If the destination does not exist, it will be created as a directory (including
missing parent directories).
.TP
\fB-K[mode]\fR
-Don't mark all existing mounts as MS_PRIVATE.
+Don't mark all existing mounts as MS_SLAVE.
This option is \fBdangerous\fR as it negates most of the functionality of \fB-v\fR.
You very likely don't need this.
You may specify a mount propagation mode in which case, that will be used
-instead of the default MS_PRIVATE. See the \fBmount\fR(2) man page and the
+instead of the default MS_SLAVE. See the \fBmount\fR(2) man page and the
kernel docs \fIDocumentation/filesystems/sharedsubtree.txt\fR for more
technical details, but a brief guide:
.IP
\[bu] \fBslave\fR Changes in the parent mount namespace will propagate in, but
changes in this mount namespace will not propagate back out. This is usually
-what people want to use.
+what people want to use, and is the default behavior if you don't specify \fB-K\fR.
.IP
\[bu] \fBprivate\fR No changes in either mount namespace will propagate.
-This is the default behavior if you don't specify \fB-K\fR.
+This provides the most isolation.
.IP
\[bu] \fBshared\fR Changes in the parent and this mount namespace will freely
propagate back and forth. This is not recommended.
@@ -252,8 +258,8 @@ Change users to the specified \fIuser\fR name, or numeric user ID \fIuid\fR.
Enter a new user namespace (implies \fB-p\fR).
.TP
\fB-v\fR
-Run inside a new VFS namespace. This option makes the program's mountpoints
-independent of the rest of the system's.
+Run inside a new VFS namespace. This option prevents mounts performed by the
+program from affecting the rest of the system (but see \fB-K\fR).
.TP
\fB-V <file>\fR
Enter the VFS namespace specified by \fIfile\fR.
@@ -306,6 +312,21 @@ arch-and-kernel-version-specific pre-compiled BPF binary (such as the ones
produced by \fBparse_seccomp_policy\fR). Note that the filter might be
different based on the runtime environment; see \fBminijail0\fR(5) for more
details.
+.TP
+\fB--allow-speculative-execution\fR
+Allow speculative execution features that may cause data leaks across processes.
+This passes the \fISECCOMP_FILTER_FLAG_SPEC_ALLOW\fR flag to seccomp which
+disables mitigations against certain speculative execution attacks; namely
+Branch Target Injection (spectre-v2) and Speculative Store Bypass (spectre-v4).
+These mitigations incur a runtime performance hit, so it is useful to be able
+to disable them in order to quantify their performance impact.
+
+\fBWARNING:\fR It is dangerous to use this option on programs that process
+untrusted input, which is normally what Minijail is used for. Do not enable
+this option unless you know what you're doing.
+
+See the kernel documentation \fIDocumentation/userspace-api/spec_ctrl.rst\fR
+and \fIDocumentation/admin-guide/hw-vuln/spectre.rst\fR for more information.
.SH SANDBOXING PROFILES
The following sandboxing profiles are supported:
.TP
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-23 20:09:36 +0000