% minijail-config-file v0

# Used jailing parameters:
#   -e: enter new network namespace (for process that
#     doesn't need network access);
#   -i: minijail0 exits right after forking.
#   -l: new IPC namespace (isolates IPC resources).
#   -N: new cgroup namespace.
#   -n: set no new privileges (no_new_privs bit).
#   -p: Enter new pid namespace (implies -vr).
#   --profile=minimalistic-mountns: Enables mount and process namespace
#     which includes /var/empty, /, proc (RO), /dev/log, /tmp (tmpfs).
#   -u: change userid to <user>.
#   -g: change gid to <group>.
#   -G: inherit supplementary groups from new uid.
#   -c: cap_sys_nice=e (1 << 23).
#   --uts: enters new UTS namespace. It makes changes to the host/domain
#     name not affect the rest of the system.
#   -k: regular mount (source, target, filesystemtype, mountflags, data)
#   -b /run/dbus: mount /run/dbus to be able to communicate with D-bus.
#   -b /run/mmc/sockets: mount /run/mmc/sockets to be able to create sockets.

e
i
l
N
n
p
uts
u = mmc_service
g = mmc_service
G
c = cap_sys_nice=e
profile = minimalistic-mountns
mount = tmpfs,/run,tmpfs,MS_NODEV|MS_NOSUID|MS_NOEXEC,mode=755,size=10M
bind-mount = /run/dbus
bind-mount = /run/mmc/sockets,/run/mmc/sockets,1