Google Git
Sign in
chromium / chromiumos / platform / minijail / 739186d45e3f5c6a7979d1cb8c3c0309d83684df
commit739186d45e3f5c6a7979d1cb8c3c0309d83684df[log] [tgz]
authorKostya Kortchinsky <[email protected]>Fri Nov 07 05:40:16 2025
committerChromeos LUCI <[email protected]>Tue Nov 18 17:50:40 2025
tree74b0ec95f1cbcaa95569b7bf10379d1bc8b179fa
parent97c1e32e07681096cfd826f045a8bc7dd93188b7 [diff]
Fix `--logging=stderr`

This PR aims to fix `--logging=stderr`. Currently:
- the `logging` option is *not* passed to the preload library, so
  it logs to syslog no matter what.
- extra syscalls are allowed even if not logging to `syslog`, while
  really `do_log` only calls `vsyslog` if the `logger` is
  `LOG_TO_SYSLOG`.

So when we do not have access to `/dev/log` (ie: in some containers
or due to privileges), we are losing `minijail0` output in dynamic
mode, which is not ideal for monitoring purposes.

To address this:
- with `--logging=stderr`, the CLI will pass a new environment
  variable to the preload library in order for it to call
  `init_logging` appropriately (note: only supporting `stderr`);
- the preload no longer invariably calls `syslog` (replaced by
  `do_log`);
- extra syscalls are no longer allowed if not logging to syslog:
  `allow_syscalls_for_logging` is now conditional to `LOG_TO_SYSLOG`.

I feel like this is how this should work, but this could potentially
break some usage of `minijail0` if someone is expecting syslog logs
with `--logging=stderr` (which sounds wrong to start with). And it
has the extra benefit of avoiding the additional allowed syscalls.

Those changes do not impact the default behavior.

Add some tests as well (I didn't find an obvious way to do an e2e
test for this).

Change-Id: Ia4fa3edcb7101c3ffd8c72b40580105d7c86b86c
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/minijail/+/7129870
Commit-Queue: Kostya Kortchinsky <[email protected]>
Reviewed-by: Jorge Lucangeli Obes <[email protected]>
Tested-by: Jorge Lucangeli Obes <[email protected]>
Reviewed-by: Ben Scarlato <[email protected]>
9 files changed
tree: 74b0ec95f1cbcaa95569b7bf10379d1bc8b179fa
  1. .github/
  2. examples/
  3. linux-x86/
  4. policies/
  5. rust/
  6. test/
  7. tools/
  8. .clang-format
  9. .gitignore
  10. Android.bp
  11. arch.h
  12. bpf.c
  13. bpf.h
  14. CleanSpec.mk
  15. common.mk
  16. config_parser.c
  17. config_parser.h
  18. config_parser_unittest.cc
  19. CPPLINT.cfg
  20. DIR_METADATA
  21. dump_constants.cc
  22. elfparse.c
  23. elfparse.h
  24. gen_constants-inl.h
  25. gen_constants.c
  26. gen_constants.sh
  27. gen_syscalls-inl.h
  28. gen_syscalls.c
  29. gen_syscalls.sh
  30. get_googletest.sh
  31. HACKING.md
  32. landlock.h
  33. landlock_util.c
  34. landlock_util.h
  35. libconstants.h
  36. libminijail-private.h
  37. libminijail.c
  38. libminijail.h
  39. libminijail.pc.in
  40. libminijail_unittest.cc
  41. libminijailpreload.c
  42. libsyscalls.h
  43. LICENSE
  44. Makefile
  45. METADATA
  46. minijail0.1
  47. minijail0.5
  48. minijail0.c
  49. minijail0.sh
  50. minijail0_cli.c
  51. minijail0_cli.h
  52. minijail0_cli_unittest.cc
  53. MODULE_LICENSE_BSD
  54. navbar.md
  55. NOTICE
  56. OWNERS
  57. OWNERS_GENERAL
  58. parse_seccomp_policy.cc
  59. platform2_preinstall.sh
  60. PRESUBMIT.cfg
  61. PREUPLOAD.cfg
  62. README.md
  63. RELEASE.md
  64. scoped_minijail.h
  65. setup.py
  66. signal_handler.c
  67. signal_handler.h
  68. syscall_filter.c
  69. syscall_filter.h
  70. syscall_filter_unittest.cc
  71. syscall_filter_unittest_macros.h
  72. syscall_wrapper.c
  73. syscall_wrapper.h
  74. system.c
  75. system.h
  76. system_unittest.cc
  77. TEST_MAPPING
  78. test_util.cc
  79. test_util.h
  80. testrunner.cc
  81. unittest_util.h
  82. util.c
  83. util.h
  84. util_unittest.cc
README.md

Minijail

The Minijail homepage is https://google.github.io/minijail/.

The main source repo is https://chromium.googlesource.com/chromiumos/platform/minijail.

There might be other copies floating around, but this is the official one!

What is it?

Minijail is a sandboxing and containment tool used in ChromeOS and Android. It provides an executable that can be used to launch and sandbox other programs, and a library that can be used by code to sandbox itself.

Getting the code

You're one git clone away from happiness.

$ git clone https://chromium.googlesource.com/chromiumos/platform/minijail
$ cd minijail

Releases are tagged as linux-vXX: https://chromium.googlesource.com/chromiumos/platform/minijail/+refs

Building

See the HACKING.md document for more details.

Release process

See the RELEASE.md document for more details.

Additional tools

See the tools/README.md document for more details.

Contact

We've got a couple of contact points.

GitHub Pages homepage

The https://google.github.io/minijail/ homepage is maintained in the gh-pages branch, not in the main branch. Changes to it can be sent via Gerrit, but requires a little extra work.

# Make sure you have all the branches, and not only the "main" one.
$ git fetch

# Create a new local branch tracking the remote "gh-pages".
# Git should automatically detect the remote and track it for you.
$ git checkout gh-pages
# If git can't auto-detect the remote, try one of these.
$ git checkout -b gh-pages origin/gh-pages
$ git checkout -b gh-pages cros/gh-pages

# Make your changes like normal, then push them to Gerrit for review.
# Here's a couple of different ways to post changes; you only need one!
$ repo upload -D gh-pages
$ git push origin HEAD:refs/for/gh-pages
$ git push cros HEAD:refs/for/gh-pages

# Now review your changes via Gerrit like normal.

Once a change merges into the gh-pages branch, there is no additional work for you other than waiting -- GitHub periodically syncs with our host, and then it will automatically regenerate the homepage when the gh-pages branch updates.

Talks and presentations

The following talk serves as a good introduction to Minijail and how it can be used.

Video, slides.

Example usage

The ChromiumOS project has a comprehensive sandboxing document that is largely based on Minijail.

After you play with the simple examples below, you should check that out.

Change root to any user

# id
uid=0(root) gid=0(root) groups=0(root),128(pkcs11)
# minijail0 -u jorgelo -g 5000 /usr/bin/id
uid=72178(jorgelo) gid=5000(eng) groups=5000(eng)

Drop root while keeping some capabilities

# minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status
Name: cat
...
CapInh: 0000000000003000
CapPrm: 0000000000003000
CapEff: 0000000000003000
CapBnd: 0000000000003000

Historical notes

Q. “Why is it called minijail0?”

A. It is minijail0 because it was a rewrite of an earlier program named minijail, which was considerably less mini, and in particular had a dependency on libchrome (the ChromeOS packaged version of Chromium's //base). We needed a new name to not collide with the deprecated one.

We didn‘t want to call it minijail2 or something that would make people start using it before we were ready, and it was also concretely less since it dropped libbase, etc. Technically, we needed to be able to fork/preload with minimal extra syscall noise which was too hard with libbase at the time (onexit handlers, etc that called syscalls we didn’t want to allow). Also, Elly made a strong case that C would be the right choice for this for linking and ease of controlled surprise system call use.

https://crrev.com/c/4585/ added the original implementation.

Source: Conversations with original authors, ellyjones@ and wad@.