Re: Can't get minijail0 working without bind-mounting /
1 view
Skip to first unread message
Demi Marie Obenour
Nov 24, 2025, 1:57:35 PMNov 24
to mini...@chromium.org, Alyssa Ross, Spectrum OS Development
On 11/23/25 01:38, Demi Marie Obenour wrote:
> I'm trying to get minijail0 to work without bind-mounting /, and I'm
> running into lots of problems. So far:
>
> - Unprivileged user namespaces fail due to -EPERM in a mount syscall.
>
> - Mounting a tmpfs over / always causes the program to be executed
> to not be found.
>
> - `sudo ./minijail0.sh -v --profile=minimalistic-mountns /bin/ls`
> works, but doesn't actually do any sandboxing as it bind-mounts `/`.
>
> Are there examples of how to use minijail0 properly? Alternatively,
> can I use it purely for seccomp and Landlock, and use bubblewrap to
> handle namespacing?
Forwarding to minijail mailing list. The first message was rejected
for some reason.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
> I'm trying to get minijail0 to work without bind-mounting /, and I'm
> running into lots of problems. So far:
>
> - Unprivileged user namespaces fail due to -EPERM in a mount syscall.
>
> - Mounting a tmpfs over / always causes the program to be executed
> to not be found.
>
> - `sudo ./minijail0.sh -v --profile=minimalistic-mountns /bin/ls`
> works, but doesn't actually do any sandboxing as it bind-mounts `/`.
>
> Are there examples of how to use minijail0 properly? Alternatively,
> can I use it purely for seccomp and Landlock, and use bubblewrap to
> handle namespacing?
Forwarding to minijail mailing list. The first message was rejected
for some reason.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Mike Frysinger
Nov 24, 2025, 2:58:24 PMNov 24
to Demi Marie Obenour, mini...@chromium.org, Alyssa Ross, Spectrum OS Development
On Mon, Nov 24, 2025 at 1:57 PM Demi Marie Obenour wrote:
> On 11/23/25 01:38, Demi Marie Obenour wrote:
> > I'm trying to get minijail0 to work without bind-mounting /, and I'm
> > running into lots of problems. So far:
> >
> > - Unprivileged user namespaces fail due to -EPERM in a mount syscall.
those errors come from the kernel, not minijail. you prob want to
> On 11/23/25 01:38, Demi Marie Obenour wrote:
> > I'm trying to get minijail0 to work without bind-mounting /, and I'm
> > running into lots of problems. So far:
> >
> > - Unprivileged user namespaces fail due to -EPERM in a mount syscall.
double check user namespaces constraints.
> > - Mounting a tmpfs over / always causes the program to be executed
> > to not be found.
you're trying to run statically or dynamically linked ?
> > - `sudo ./minijail0.sh -v --profile=minimalistic-mountns /bin/ls`
> > works, but doesn't actually do any sandboxing as it bind-mounts `/`.
sandboxed". sandboxing (namespaces / container technology) is
composed of a multitude of layers.
what you describe here is correct. check the set of mounts inside
that sandbox to see they're significantly reduced.
> > Are there examples of how to use minijail0 properly?
the website also links to more docs & practical examples.
https://google.github.io/minijail/
> > Alternatively,
> > can I use it purely for seccomp and Landlock, and use bubblewrap to
> > handle namespacing?
that the program needs to set things up, then i don't see why not.
-mike
Reply all
Reply to author
Forward
0 new messages