minijail是一个由Google维护的沙箱工具,常用于ChromeOS,提供进程隔离和安全强化。它允许在C++中调用Python解析器,并具有如用户/组切换、命名空间、挂载选项和seccomp过滤等功能,确保系统安全。
沙箱上头,继续聊沙箱。今天这个沙箱叫 minijail,是 chatgpt 告诉我的。一搜不得了,是 Google 官方维护的沙箱,用在了 Chrome 中。
目录
- 如何在 C++ 中调用 python 解析器来执行 python 代码(一)?
- 如何在 C++ 中调用 python 解析器来执行 python 代码(二)?
- 如何在 C++ 中调用 python 解析器来执行 python 代码(三)?
- 如何在 C++ 中调用 python 解析器来执行 python 代码(四)?
- 如何在 C++ 中调用 python 解析器来执行 python 代码(五)?
- 如何在 C++ 中调用 python 解析器来执行 python 代码(六)?
- 如何在 C++ 中调用 python 解析器来执行 python 代码(七)?
编译
yum install libcap-devel.x86_64
make -j
帮助
[xiaochu.yh ~/tools/minijail] (master) $./minijail0 -h
Usage: ./minijail0 [options] [--] <program> [args...]
Account (user/group) options:
-u <user> Change uid to <user>.
-g <group> Change gid to <group>.
-G Inherit supplementary groups from new uid.
Incompatible with -y or --add-suppl-group.
-y Keep original uid's supplementary groups.
Incompatible with -G or --add-suppl-group.
--add-suppl-group <group>
Add <group> to the proccess' supplementary groups.
Can be specified multiple times to add several groups.
Incompatible with -y or -G.
Mount/path options:
-b <src[,dst[,writable]]>, --bind-mount <...>
Bind <src> to <dst>.
-k <src,dst,fstype[,flags[,data]]>, --mount <...>
Mount <src> at <dst>. <flags> and <data> can be specified as
in mount(2). Multiple instances allowed.
-K Do not change share mode of any existing mounts.
-K<mode> Mark all existing mounts as <mode> instead of MS_PRIVATE.
-r Remount /proc read-only (implies -v).
-d, --mount-dev
Create a new /dev with a minimal set of device nodes
(implies -v). See minijail0(1) for exact list.
-t[size] Mount tmpfs at /tmp (implies -v).
Optional argument specifies size (default "64M").
-C <dir> chroot(2) to <dir>. Incompatible with -P.
-P <dir> pivot_root(2) to <dir> (implies -v). Incompatible with -C.
Namespace options:
-N Enter a new cgroup namespace.
-l Enter new IPC namespace.
-v, --ns-mount
Enter new mount namespace.
-V <file> Enter specified mount namespace.
-e[file] Enter new network namespace, or existing |file| if provided.
-p Enter new pid namespace (implies -vr).
-I Run as init (pid 1) inside a new pid namespace (implies -p).
-U Enter new user namespace (implies -p).
-m[<uid> <loweruid> <count>]
Set the uid map of a user namespace (implies -pU).
Same arguments as newuidmap(1); mappings are comma separated.
With no mapping, map the current uid to root.
Incompatible with -b without the 'writable' option.
-M[<gid> <lowergid> <count>]
Set the gid map of a user namespace (implies -pU).
Same arguments as newgidmap(1); mappings are comma separated.
With no mapping, map the current gid to root.
Incompatible with -b without the 'writable' option.
--uts[=name] Enter a new UTS namespace (and set hostname).
Seccomp options:
-S <file> Set seccomp filter using <file>.
E.g., '-S /usr/share/filters/<prog>.$(uname -m)'.
Requires -n when not running as root.
--seccomp-bpf-binary=<f>
Set a pre-compiled seccomp filter using <f>.
E.g., '-S /usr/share/filters/<prog>.$(uname -m).bpf'.
Requires -n when not running as root.
The user is responsible for ensuring that the binary
was compiled for the correct architecture / kernel version.
-L Report blocked syscalls when using seccomp filter.
If the kernel does not support SECCOMP_RET_LOG, some syscalls
will automatically be allowed (see below).
-Y Synchronize seccomp filters across thread group.
-a <table> Use alternate syscall table <table>.
-s Use seccomp mode 1 (not the same as -S).
Other options:
--config <file>
Load the Minijail configuration file <file>.
If used, must be specified ahead of other options.
--profile <p>
Configure minijail0 to run with the <p> sandboxing profile,
which is a convenient way to express multiple flags
that are typically used together.
See the minijail0(1) man page for the full list.
-n Set no_new_privs. See prctl(2) for details.
-c <caps> Restrict caps to <caps>.
--ambient Raise ambient capabilities. Requires -c.
-B <mask> Skip setting <mask> securebits when restricting caps (-c).
By default, SECURE_NOROOT, SECURE_NO_SETUID_FIXUP, and
SECURE_KEEP_CAPS (with their respective locks) are set.
-f <file> Write the pid of the jailed process to <file>.
-i Exit immediately after fork(2); i.e. background the program.
-z Don't forward signals to jailed process.
-R <type,cur,max>
Call setrlimit(3); can be specified multiple times.
-T <type> Assume <program> is a <type> ELF binary;
<type> may be 'static' or 'dynamic'.
This will avoid accessing <program> binary before execve(2).
Type 'static' will avoid preload hooking.
-w Create and join a new anonymous session keyring.
--env-reset Clear the current environment instead of having <program>
inherit the active environment. Often used to start <program>
with a minimal sanitized environment.
--env-add <NAME=value>
Sets the specified environment variable <NAME>
in the <program>'s environment before starting it.
Uncommon options:
--allow-speculative-execution
Allow speculative execution by disabling mitigations.
--fs-default-paths
Adds a set of allowed paths to allow running common system
executables.
--fs-path-rx
Adds an allowed read-execute path.
--fs-path-ro
Adds an allowed read-only path.
--fs-path-rw
Adds an allowed read-write path.
--fs-path-advanced-rw
Adds an allowed advanced read-write path.
--preload-library=<file>
Overrides the path to "/lib/libminijailpreload.so".
This is only really useful for local testing.
--logging=<output>
Set the logging system output: 'auto' (default),
'syslog', or 'stderr'.
-h Help (this message).
-H Seccomp filter help message.
syscalls allowed when logging (-L):
socket connect sendto writev
用法
详情参考 https://github.com/google/minijail
评论
这个工具被 Google 官方维护,广泛用于 Chrome OS 中,可靠性理论上高于 nsjail。值得尝试。
License 为 BSD-2 Style,可以商用。
扫一扫
4925
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
