On Mon, Nov 24, 2025 at 1:57 PM Demi Marie Obenour wrote:
On 11/23/25 01:38, Demi Marie Obenour wrote:
I'm trying to get minijail0 to work without bind-mounting /, and I'm running into lots of problems. So far:
- Unprivileged user namespaces fail due to -EPERM in a mount syscall.
those errors come from the kernel, not minijail. you prob want to double check user namespaces constraints.
- Mounting a tmpfs over / always causes the program to be executed to not be found.
what is the command line you are using exactly, and is the program you're trying to run statically or dynamically linked ?
- `sudo ./minijail0.sh -v --profile=minimalistic-mountns /bin/ls` works, but doesn't actually do any sandboxing as it bind-mounts `/`.
it sounds like you're conflating "empty filesystem" with "it's sandboxed". sandboxing (namespaces / container technology) is composed of a multitude of layers. what you describe here is correct. check the set of mounts inside that sandbox to see they're significantly reduced.
Are there examples of how to use minijail0 properly?
seems like you've already found some, and they're working correctly. the website also links to more docs & practical examples. https://google.github.io/minijail/
Alternatively, can I use it purely for seccomp and Landlock, and use bubblewrap to handle namespacing?
if the minijail config allows access to all the syscalls/privileges that the program needs to set things up, then i don't see why not. -mike