NsJail is a process isolation tool for Linux. It utilizes Linux namespace subsystem, resource limits, and the seccomp-bpf syscall filters of the Linux kernel
Use execveat() to execute a file-descriptor instead of executing the binary path. In such case argv[0]/exec_file denotes a file path before mount namespacing
Username/uid of processess inside the jail (default: your current uid). You can also use inside_ns_uid:outside_ns_uid:count convention here. Can be specified multiple times
.TP
\fB\-\-group\fR|\fB\-g\fR VALUE
Groupname/gid of processess inside the jail (default: your current gid). You can also use inside_ns_gid:global_ns_gid:count convention here. Can be specified multiple times
.TP
\fB\-\-hostname\fR|\fB\-H\fR VALUE
UTS name (hostname) of the jail (default: 'NSJAIL')
.TP
\fB\-\-cwd\fR|\fB\-D\fR VALUE
Directory in the namespace the process will run (default: '/')
.TP
\fB\-\-port\fR|\fB\-p\fR VALUE
TCP port to bind to (enables MODE_LISTEN_TCP) (default: 0)
.TP
\fB\-\-bindhost\fR VALUE
IP address to bind the port to (only in [MODE_LISTEN_TCP]), (default: '::')
.TP
\fB\-\-max_conns_per_ip\fR|\fB\-i\fR VALUE
Maximum number of connections per one IP (only in [MODE_LISTEN_TCP]), (default: 0 (unlimited))
.TP
\fB\-\-log\fR|\fB\-l\fR VALUE
Log file (default: use log_fd)
.TP
\fB\-\-log_fd\fR|\fB\-L\fR VALUE
Log FD (default: 2)
.TP
\fB\-\-time_limit\fR|\fB\-t\fR VALUE
Maximum time that a jail can exist, in seconds (default: 600)
.TP
\fB\-\-max_cpus\fR VALUE
Maximum number of CPUs a single jailed process can use (default: 0 'no limit')
Don't use CLONE_NEWNET. Enable networking inside the jail
.TP
\fB\-\-disable_clone_newuser\fR
Don't use CLONE_NEWUSER. Requires euid==0
.TP
\fB\-\-disable_clone_newns\fR
Don't use CLONE_NEWNS
.TP
\fB\-\-disable_clone_newpid\fR
Don't use CLONE_NEWPID
.TP
\fB\-\-disable_clone_newipc\fR
Don't use CLONE_NEWIPC
.TP
\fB\-\-disable_clone_newuts\fR
Don't use CLONE_NEWUTS
.TP
\fB\-\-enable_clone_newcgroup\fR
Use CLONE_NEWCGROUP
.TP
\fB\-\-uid_mapping\fR|\fB\-U\fR VALUE
Add a custom uid mapping of the form inside_uid:outside_uid:count. Setting this requires newuidmap to be present
.TP
\fB\-\-gid_mapping\fR|\fB\-G\fR VALUE
Add a custom gid mapping of the form inside_gid:outside_gid:count. Setting this requires newgidmap to be present
.TP
\fB\-\-bindmount_ro\fR|\fB\-R\fR VALUE
List of mountpoints to be mounted \fB\-\-bind\fR (ro) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'
.TP
\fB\-\-bindmount\fR|\fB\-B\fR VALUE
List of mountpoints to be mounted \fB\-\-bind\fR (rw) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'
.TP
\fB\-\-tmpfsmount\fR|\fB\-T\fR VALUE
List of mountpoints to be mounted as RW/tmpfs inside the container. Can be specified multiple times. Supports 'dest' syntax
.TP
\fB\-\-tmpfs_size\fR VALUE
Number of bytes to allocate for tmpfsmounts (default: 4194304)