1% minijail-config-file v0 2 3# Used jailing parameters: 4# -e: enter new network namespace (for process that 5# doesn't need network access); 6# -i: minijail0 exits right after forking. 7# -l: new IPC namespace (isolates IPC resources). 8# -N: new cgroup namespace. 9# -n: set no new privileges (no_new_privs bit). 10# -p: Enter new pid namespace (implies -vr). 11# --profile=minimalistic-mountns: Enables mount and process namespace 12# which includes /var/empty, /, proc (RO), /dev/log, /tmp (tmpfs). 13# -u: change userid to <user>. 14# -g: change gid to <group>. 15# -G: inherit supplementary groups from new uid. 16# -c: cap_sys_nice=e (1 << 23). 17# --uts: enters new UTS namespace. It makes changes to the host/domain 18# name not affect the rest of the system. 19# -k: regular mount (source, target, filesystemtype, mountflags, data) 20# -b /run/dbus: mount /run/dbus to be able to communicate with D-bus. 21# -b /run/mmc/sockets: mount /run/mmc/sockets to be able to create sockets. 22 23e 24i 25l 26N 27n 28p 29uts 30u = mmc_service 31g = mmc_service 32G 33c = cap_sys_nice=e 34profile = minimalistic-mountns 35mount = tmpfs,/run,tmpfs,MS_NODEV|MS_NOSUID|MS_NOEXEC,mode=755,size=10M 36bind-mount = /run/dbus 37bind-mount = /run/mmc/sockets,/run/mmc/sockets,1 38