woj/nsjail
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

readme

Browse Source
This commit is contained in:
Robert Swiecki 2017-05-06 22:33:13 +02:00
parent ec765851f4
commit d1b3adfc40
1 changed files with 12 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
README.md
View File

@ -1,24 +1,27 @@
- [WHAT IS IT?](#what-is-it-) - [What is it?](#what-is-it-)
- [WHAT TYPE OF ISOLATION DOES THIS TOOL PROVIDE?](#what-type-of-isolation-does-this-tool-provide-) - [What form of isolation does it provide?](#what-type-of-isolation-does-this-tool-provide-)
- [WHICH USE-CASES ARE SUPPORTED?](#which-use-cases-are-supported-) - [Which use-cases are supported?](#which-use-cases-are-supported-)
* [Isolation of network services (inetd-style)](#isolation-of-network-services--inetd-style-) * [Isolation of network services (inetd-style)](#isolation-of-network-services--inetd-style-)
* [Isolation, with access to a private, cloned interface (requires euid==0)](#isolation--with-access-to-a-private--cloned-interface--requires-euid--0-) * [Isolation, with access to a private, cloned interface (requires euid==0)](#isolation--with-access-to-a-private--cloned-interface--requires-euid--0-)
* [Isolation of local processes](#isolation-of-local-processes) * [Isolation of local processes](#isolation-of-local-processes)
* [Isolation of local processes (and re-running them)](#isolation-of-local-processes--and-re-running-them-) * [Isolation of local processes (and re-running them)](#isolation-of-local-processes--and-re-running-them-)
* [Bash in a minimal file-system with uid==0 and access to /dev/urandom](#bash-in-a-minimal-file-system-with-uid--0-and-access-to--dev-urandom) * [Bash in a minimal file-system with uid==0 and access to /dev/urandom](#bash-in-a-minimal-file-system-with-uid--0-and-access-to--dev-urandom)
* [Even more contrained shell (with seccomp-bpf policies)](#even-more-contrained-shell--with-seccomp-bpf-policies-) * [Even more contrained shell (with seccomp-bpf policies)](#even-more-contrained-shell--with-seccomp-bpf-policies-)
- [MORE INFO?](#more-info-) - [More info?](#more-info-)
- [LAUNCHING IN DOCKER](#launching-in-docker) - [Launching in Docker](#launching-in-docker)
### WHAT IS IT? ### WHAT IS IT?
NsJail is a process isolation tool for Linux. It makes use of the the namespacing, resource control, and seccomp-bpf syscall filter subsystems of the Linux kernel. NsJail is a process isolation tool for Linux. It makes use of the the namespacing, resource control, and seccomp-bpf syscall filter subsystems of the Linux kernel.
It can help, among others, with: It can help among others, with:
* Securing networking services (e.g. web, time, DNS), by isolating them from the rest of the OS * Securing networking services (e.g. web, time, DNS), by isolating them from the rest of the OS
* Hosting computer security challenges (so-called CTFs) * Hosting computer security challenges (so-called CTFs)
* Containing invasive syscall-level OS fuzzers * Containing invasive syscall-level OS fuzzers
This is NOT an official Google product. Features:
* It offers three distinct operation modes. See [this section](#which-use-cases-are-supported-) for more info.
* Can use [kafel seccomp-bpf configuration language](https://github.com/google/kafel/) for syscall policy creation.
* It's rock-solid.
### WHAT TYPE OF ISOLATION DOES THIS TOOL PROVIDE? ### WHAT TYPE OF ISOLATION DOES THIS TOOL PROVIDE?
1. Linux namespaces: UTS (hostname), MOUNT (chroot), PID (separate PID tree), IPC, NET (separate networking context), USER 1. Linux namespaces: UTS (hostname), MOUNT (chroot), PID (separate PID tree), IPC, NET (separate networking context), USER
@ -31,6 +34,8 @@ This is NOT an official Google product.
### WHICH USE-CASES ARE SUPPORTED? ### WHICH USE-CASES ARE SUPPORTED?
#### Isolation of network services (inetd-style) #### Isolation of network services (inetd-style)
This is NOT an official Google product.
+ Server: + Server:
``` ```
$ ./nsjail -Ml --port 9000 --chroot /chroot/ --user 99999 --group 99999 -- /bin/sh -i $ ./nsjail -Ml --port 9000 --chroot /chroot/ --user 99999 --group 99999 -- /bin/sh -i