From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 865EA1E016; Mon, 24 Nov 2025 19:58:27 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id D4E581DF8C; Mon, 24 Nov 2025 19:58:24 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.3 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DMARC_PASS,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) by atuin.qyliss.net (Postfix) with ESMTPS id CCA161E002 for ; Mon, 24 Nov 2025 19:58:23 +0000 (UTC) Received: by mail-lf1-x130.google.com with SMTP id 2adb3069b0e04-594516d941cso5376618e87.0 for ; Mon, 24 Nov 2025 11:58:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1764014301; x=1764619101; darn=spectrum-os.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=adk+x9EcVGoTxA/JZ2wq+dbCU4H88xrLgDu2jn1EWhk=; b=WaXIZ+kkDYxft05XVM4advGQiTlGU9HsX5Ls1H6tkj8AxikI4OQkzvridqMInQnVxj KQzqSEl222G9s4ftcBFhjW/lfayeIWNOf3DUHb52oXVwznY+mowhI6xx5MPLmFbliURe 6hZDSn9jDoG/dBWOL0GQsI8FYzNvv/S84gZVY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764014301; x=1764619101; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=adk+x9EcVGoTxA/JZ2wq+dbCU4H88xrLgDu2jn1EWhk=; b=RNDkJyijgWqW5Jm0swjwHhSRzYaTcwvu2jTymou0xFgYdeoCfS9ZfYiTbsXA4/b12G OTCfRdf2l6z8Oe6/f/UDoDq7Kpnq5z4rHTwzRV0yYoCA6Px1oAWSn7oljQqihZ9kQ0P4 qKWhdydqp+wOX1tvN45PhyrkZ3y82itTseAFe8ej5Z7qa93uFmq/trIY4HMj6Bvv3QMP uDOJ87QIqjZUp04poxRHuAqGWu1yuZZuAXys1gsEy2pSUYc+CAyWQx9XRNovi8KR82eN 0sK5uhGU4mFDNDmPgGbRZ5C63Hgo8ani+etd9YZ5Z3rKBXMNxGqyO6wQlDop3xdTq0p4 PMSg== X-Forwarded-Encrypted: i=1; AJvYcCXePof/QXLvtyDUz96YnqdPufCUpItjAn9F0pc59s86xjpayaoKRVOlENFChAMVY19zKm26JA==@spectrum-os.org X-Gm-Message-State: AOJu0YxMRnUXPn7dQ+p+TOQ4As/3uXBWakflOnLwimKi/S2Nr1yHaewn eLaJvjUvZFhJ36wcSY+bbCogvbJtO+ReaaAi3/CZkRG6cW9z9MDuyVvEKPrrhg7RuQPGXssQdKA AL3WD60PNxoV4p9DdV9yKCI4mide4CpSsczGRU0auCo1kDQ/kZvZdl9pU X-Gm-Gg: ASbGncsZcIy9wD67/XKAHKdch4dV4/rOJDInuDTY3pCI8VULo35Pb0qDp6edLpCo8SD BKJHpNdfpuece86nHTxLD/bDauC+8u1g9sUxGNZrJqhHEScKvjvMPsvN7lkQZDImXrzdZG+VqTZ I/Obu5iAvrELF/7QbuLOq6VTkfAENodDqfaEkZTQ8022U3cC70Tq+XxtCeJ5ssChVUQU/udFsD6 GPpg45330yvQSvOinINz0z4eOW2ZM3e27Ez+pCiBEXLUrikAqaSEFts9jMpSCPedW8rE0d8h3zf DkXdl1uksvWcnrQXquQh7Waupk4B+WWb+sIs3m757T0/fspShCByBraTuk6tQfUuVS8mnrvZowP UyTs9wg== X-Google-Smtp-Source: AGHT+IHj/mtGXe+ckCJvTdaegdY8k3CsDmkvZgnSi+VEPfuLpGJlQFpkXxY4/ymnSw+GmQ25wlKTN5RulC7HK+1Ptm8= X-Received: by 2002:a05:6512:3d0f:b0:594:2fec:ade1 with SMTP id 2adb3069b0e04-596a3e9f753mr4434985e87.11.1764014300354; Mon, 24 Nov 2025 11:58:20 -0800 (PST) MIME-Version: 1.0 References: <92968d96-fa34-41ea-8594-62e6691ad479@gmail.com> <74fe4492-b7c2-4424-ade4-db2b32c85ca5@gmail.com> In-Reply-To: <74fe4492-b7c2-4424-ade4-db2b32c85ca5@gmail.com> From: Mike Frysinger Date: Mon, 24 Nov 2025 14:57:42 -0500 X-Gm-Features: AWmQ_bmZ81OjoaZE6zff92xqAeWnxcLLNyRcQVVysYvYa_prSKHmsWyl9a1NZE4 Message-ID: Subject: Re: [minijail] Re: Can't get minijail0 working without bind-mounting / To: Demi Marie Obenour Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Message-ID-Hash: XP4MZBGYRTSAK4ZMNCXKGCTUZKV6HN5P X-Message-ID-Hash: XP4MZBGYRTSAK4ZMNCXKGCTUZKV6HN5P X-MailFrom: vapier@google.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: minijail@chromium.org, Alyssa Ross , Spectrum OS Development X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Mon, Nov 24, 2025 at 1:57=E2=80=AFPM Demi Marie Obenour wrote: > On 11/23/25 01:38, Demi Marie Obenour wrote: > > I'm trying to get minijail0 to work without bind-mounting /, and I'm > > running into lots of problems. So far: > > > > - Unprivileged user namespaces fail due to -EPERM in a mount syscall. those errors come from the kernel, not minijail. you prob want to double check user namespaces constraints. > > - Mounting a tmpfs over / always causes the program to be executed > > to not be found. what is the command line you are using exactly, and is the program you're trying to run statically or dynamically linked ? > > - `sudo ./minijail0.sh -v --profile=3Dminimalistic-mountns /bin/ls` > > works, but doesn't actually do any sandboxing as it bind-mounts `/`. it sounds like you're conflating "empty filesystem" with "it's sandboxed". sandboxing (namespaces / container technology) is composed of a multitude of layers. what you describe here is correct. check the set of mounts inside that sandbox to see they're significantly reduced. > > Are there examples of how to use minijail0 properly? seems like you've already found some, and they're working correctly. the website also links to more docs & practical examples. https://google.github.io/minijail/ > > Alternatively, > > can I use it purely for seccomp and Landlock, and use bubblewrap to > > handle namespacing? if the minijail config allows access to all the syscalls/privileges that the program needs to set things up, then i don't see why not. -mike