Runs PROGRAM inside a sandbox.
-a <table> Run using the alternate syscall table named table. Only available on kernels and architectures that support the PR_ALT_SYSCALL option of prctl(2).
-b <src>,<dest>[,<writeable>] Bind-mount src into the chroot directory at dest, optionally writeable.
-c <caps> Restrict capabilities to caps. When used in conjunction with -u and -g, this allows a program to have access to only certain parts of root's default privileges while running as another user and group ID altogether. Note that these capabilities are not inherited by subprocesses of the process given capabilities unless those subprocesses have POSIX file capabilities. See capabilities(7).
-C <dir> Change root (using chroot(2)) to dir.
-e[file] Enter a new network namespace, or if file is specified, enter an existing network namespace specified by file which is typically of the form /proc/<pid>/ns/net.
-f <file> Write the pid of the jailed process to file.
-g <group> Change groups to group, which may be either a group name or a numeric group ID.
-G Inherit all the supplementary groups of the user specified with -u. It is an error to use this option without having specified a user name to -u.
-h Print a help message.
-H Print a help message detailing supported system call names for seccomp_filter. (Other direct numbers may be specified if minijail0 is not in sync with the host kernel or something like 32/64-bit compatibility issues exist.)
-I Run program as init (pid 1) inside a new pid namespace (implies -p).
-k <src>,<dest>,<type>[,<flags>] Mount src, a type filesystem, into the chroot directory at dest, with optional flags.
-K Don't mark all existing mounts as MS_PRIVATE. This option is dangerous as it negates most of the functionality of -v. You very likely don't need this.
-l Run inside a new IPC namespace. This option makes the program's System V IPC namespace independent.
-L Report blocked syscalls to syslog when using seccomp filter. This option will force certain syscalls to be allowed in order to achieve this, depending on the system.
-m[<uid> <loweruid> <count>[,<uid> <loweruid> <count>]] Set the uid mapping of a user namespace (implies -pU). Same arguments as newuidmap(1). Multiple mappings should be separated by ','. With no mapping, map the current uid to root inside the user namespace.
-M[<uid> <loweruid> <count>[,<uid> <loweruid> <count>]] Set the gid mapping of a user namespace (implies -pU). Same arguments as newgidmap(1). Multiple mappings should be separated by ','. With no mapping, map the current gid to root inside the user namespace.
-n Set the process's no_new_privs bit. See prctl(2) and the kernel source file Documentation/prctl/no_new_privs.txt for more info.
-N Run inside a new cgroup namespace. This option runs the program with a cgroup view showing the program's cgroup as the root. This is only available on v4.6+ of the Linux kernel.
-p Run inside a new PID namespace. This option will make it impossible for the program to see or affect processes that are not its descendants. This implies -v and -r, since otherwise the process can see outside its namespace by inspecting /proc.
-P <dir> Set dir as the root fs using pivot_root. Implies -v, not compatible with -C.
-r Remount /proc readonly. This implies -v. Remounting /proc readonly means that even if the process has write access to a system config knob in /proc (e.g., in /sys/kernel), it cannot change the value.
-s Enable seccomp(2) in mode 1, which restricts the child process to a very small set of system calls.
-S <arch-specific seccomp_filter policy file> Enable seccomp(2) in mode 13 which restricts the child process to a set of system calls defined in the policy file. Note that system calls often change names based on the architecture or mode. (uname -m is your friend.)
-t[size] Mounts a tmpfs filesystem on /tmp. /tmp must exist already (e.g. in the chroot). The filesystem has a default size of "64M", overridden with an optional argument. It has standard /tmp permissions (1777), and is mounted nodev/noexec/nosuid. Implies -v.
-T <type> Assume program's ELF linkage type is type, which should be either 'static' or 'dynamic'.
-u <user> Change users to user, which may be either a user name or a numeric user ID.
-U Enter a new user namespace (implies -p).
-v Run inside a new VFS namespace. This option makes the program's mountpoints independent of the rest of the system's.
-V <file> Enter the VFS namespace specified by file.
-w Create and join a new anonymous session keyring. See keyrings(7) for more details.
-y Keep the current user's supplementary groups.
-Y Synchronize seccomp filters across thread group.