blob: 427162b2dde9cdea46eafafedc5981fe82725013 [file] [log] [blame]
% minijail-config-file v0
# Used jailing parameters:
# -e: enter new network namespace (for process that
# doesn't need network access);
# -i: minijail0 exits right after forking.
# -l: new IPC namespace (isolates IPC resources).
# -N: new cgroup namespace.
# -n: set no new privileges (no_new_privs bit).
# -p: Enter new pid namespace (implies -vr).
# --profile=minimalistic-mountns: Enables mount and process namespace
# which includes /var/empty, /, proc (RO), /dev/log, /tmp (tmpfs).
# -u: change userid to <user>.
# -g: change gid to <group>.
# -G: inherit supplementary groups from new uid.
# -c: cap_sys_nice=e (1 << 23).
# --uts: enters new UTS namespace. It makes changes to the host/domain
# name not affect the rest of the system.
# -k: regular mount (source, target, filesystemtype, mountflags, data)
# -b /run/dbus: mount /run/dbus to be able to communicate with D-bus.
# -b /run/mmc/sockets: mount /run/mmc/sockets to be able to create sockets.
e
i
l
N
n
p
uts
u = mmc_service
g = mmc_service
G
c = cap_sys_nice=e
profile = minimalistic-mountns
mount = tmpfs,/run,tmpfs,MS_NODEV|MS_NOSUID|MS_NOEXEC,mode=755,size=10M
bind-mount = /run/dbus
bind-mount = /run/mmc/sockets,/run/mmc/sockets,1