From dc5905ab177ce90c3684e4a5eaab47658b15be4b Mon Sep 17 00:00:00 2001 From: robertswiecki Date: Sun, 7 May 2017 04:20:23 +0200 Subject: [PATCH] Update README.md --- README.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 286c073..214c7a1 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,7 @@ This is NOT an official Google product. +*** ### What is it NsJail is a process isolation tool for Linux. It utilizes Linux namespace subsystem, resource limits, and the seccomp-bpf syscall filters from the Linux kernel. @@ -21,10 +22,11 @@ It can help with (among other things): * Containing invasive syscall-level OS fuzzers Features: - * It offers three distinct operational modes. See [this section](#which-use-cases-are-supported) for more info. - * Uses [kafel seccomp-bpf configuration language](https://github.com/google/kafel/) for syscall policy creation. - * It's rock-solid. + - [x] It offers three distinct operational modes. See [this section](#which-use-cases-are-supported) for more info. + - [x] Uses [kafel seccomp-bpf configuration language](https://github.com/google/kafel/) for syscall policy creation. + - [x] It's rock-solid. +*** ### What forms of isolation does it provide 1. Linux namespaces: UTS (hostname), MOUNT (chroot), PID (separate PID tree), IPC, NET (separate networking context), USER 2. FS constraints: chroot(), pivot_root(), RO-remounting @@ -33,6 +35,7 @@ Features: 5. Cloned and separated Ethernet interfaces 6. Cgroups for memory and PID utilization control +*** ### Which use-cases are supported #### Isolation of network services (inetd style) @@ -174,6 +177,7 @@ $ exit [2017-01-15T21:53:17+0100] PID: 18873 exited with status: 159, (PIDs left: 0) +*** ### More info The options should be self-explanatory, and these are available with: @@ -327,6 +331,7 @@ Options: nsjail -Me --chroot / --disable_proc -- /bin/echo "ABC" +*** ### Launching in Docker To launch nsjail in a docker container clone the repository and build the docker image: