From 6cae0b28a956ec37a05d3586c1aa41e8f1177100 Mon Sep 17 00:00:00 2001 From: Dylan Reid Date: Wed, 18 Nov 2015 18:47:49 -0800 Subject: minijail: Update man page When adding options recently, the man page had not been updated. Add the new options and fix a few issues such as -C and -t being inserted in the middle of the description for -c. BUG=none TEST=man ./minijail0.1 Change-Id: I2fd9f30aba93a8a0db8e8c94a799ff96c672114e Signed-off-by: Dylan Reid --- minijail0.1 | 41 +++++++++++++++++++++++++++++++---------- 1 file changed, 31 insertions(+), 10 deletions(-) diff --git a/minijail0.1 b/minijail0.1 index 122ecc5..dbec74d 100644 --- a/minijail0.1 +++ b/minijail0.1 @@ -17,21 +17,28 @@ Bind-mount into the chroot directory at , optionally writeable. .TP \fB-c \fR Restrict capabilities to \fIcaps\fR. When used in conjunction with \fB-u\fR and +\fB-g\fR, this allows a program to have access to only certain parts of root's +default privileges while running as another user and group ID altogether. Note +that these capabilities are not inherited by subprocesses of the process given +capabilities unless those subprocesses have POSIX file capabilities. See +\fBcapabilities\fR(7). .TP \fB-C \fR Change root (using chroot(2)) to . .TP +\fB-e[file]\fR +Enter a new network namespace, or if \fIfile\fR is specified, Enter an existing +network namespace specified by \fIfile\fR which is typically of the form +/proc//ns/net. +.TP +\fB-f \fR +Write the pid of the jailed process to \fIfile\fR. +.TP \fB-t\fR Mounts a tmpfs filesystem on /tmp. /tmp must exist in the chroot. This must be used with -C. The default filesystem has a max size of 128M and has standard /tmp permissions (777). .TP -\fB-g\fR, this allows a program to have access to only certain parts of root's -default privileges while running as another user and group ID altogether. Note -that these capabilities are not inherited by subprocesses of the process given -capabilities unless those subprocesses have POSIX file capabilities. See -\fBcapabilities\fR(7). -.TP \fB-G\fR Inherit all the supplementary groups of the user specified with \fB-u\fR. It is an error to use this option without having specified a \fBuser name\fR to @@ -53,17 +60,28 @@ Print a help message detailing supported system call names for seccomp_filter. Run inside a new IPC namespace. This option makes the program's System V IPC namespace independent. .TP +\fB-m " [, ]"\fR +Set the uid mapping of a user namespace (implies \fB-pU\fR). Same arguments as +\fBnewuidmap(1)\fR. Multiple mappings should be separated by ','. +.TP +\fB-M " [, ]"\fR +Set the gid mapping of a user namespace (implies \fB-pU\fR). Same arguments as +\fBnewgidmap(1)\fR. Multiple mappings should be separated by ','. +.TP \fB-p\fR Run inside a new PID namespace. This option will make it impossible for the program to see or affect processes that are not its descendants. This implies \fB-v\fR and \fB-r\fR, since otherwise the process can see outside its namespace by inspecting /proc. .TP +\fB-P \fR +Set \fIdir\fR as the root fs using \fBpivot_root\fR. Implies \fB-v\fR, not +compatible with \fB-C\fR. +.TP \fB-r\fR -Remount certain filesystems readonly. Currently this only remounts /proc. This -implies \fB-v\fR. Remounting /proc readonly means that even if the process has -write access to a system config knob in /proc (e.g., in /sys/kernel), it cannot -change the value. +Remount /proc readonly. This implies \fB-v\fR. Remounting /proc readonly means +that even if the process has write access to a system config knob in /proc +(e.g., in /sys/kernel), it cannot change the value. .TP \fB-s\fR Enable seccomp(2) in mode 1, which restricts the child process to a very small @@ -81,6 +99,9 @@ ID. \fB-v\fR Run inside a new VFS namespace. This option makes the program's mountpoints independent of the rest of the system's. +.TP +\fB-V \fR +Enter the VFS namespace specified by \fIfile\fR. .SH IMPLEMENTATION This program is broken up into two parts: \fBminijail0\fR (the frontend) and a helper library called \fBlibminijailpreload\fR. Some jailings can only be achieved from -- cgit v1.2.3