Update README.md
This commit is contained in:
parent
438fd80ecf
commit
dc5905ab17
11
README.md
11
README.md
@ -12,6 +12,7 @@
|
|||||||
|
|
||||||
This is NOT an official Google product.
|
This is NOT an official Google product.
|
||||||
|
|
||||||
|
***
|
||||||
### What is it
|
### What is it
|
||||||
NsJail is a process isolation tool for Linux. It utilizes Linux namespace subsystem, resource limits, and the seccomp-bpf syscall filters from the Linux kernel.
|
NsJail is a process isolation tool for Linux. It utilizes Linux namespace subsystem, resource limits, and the seccomp-bpf syscall filters from the Linux kernel.
|
||||||
|
|
||||||
@ -21,10 +22,11 @@ It can help with (among other things):
|
|||||||
* Containing invasive syscall-level OS fuzzers
|
* Containing invasive syscall-level OS fuzzers
|
||||||
|
|
||||||
Features:
|
Features:
|
||||||
* It offers three distinct operational modes. See [this section](#which-use-cases-are-supported) for more info.
|
- [x] It offers three distinct operational modes. See [this section](#which-use-cases-are-supported) for more info.
|
||||||
* Uses [kafel seccomp-bpf configuration language](https://github.com/google/kafel/) for syscall policy creation.
|
- [x] Uses [kafel seccomp-bpf configuration language](https://github.com/google/kafel/) for syscall policy creation.
|
||||||
* It's rock-solid.
|
- [x] It's rock-solid.
|
||||||
|
|
||||||
|
***
|
||||||
### What forms of isolation does it provide
|
### What forms of isolation does it provide
|
||||||
1. Linux namespaces: UTS (hostname), MOUNT (chroot), PID (separate PID tree), IPC, NET (separate networking context), USER
|
1. Linux namespaces: UTS (hostname), MOUNT (chroot), PID (separate PID tree), IPC, NET (separate networking context), USER
|
||||||
2. FS constraints: chroot(), pivot_root(), RO-remounting
|
2. FS constraints: chroot(), pivot_root(), RO-remounting
|
||||||
@ -33,6 +35,7 @@ Features:
|
|||||||
5. Cloned and separated Ethernet interfaces
|
5. Cloned and separated Ethernet interfaces
|
||||||
6. Cgroups for memory and PID utilization control
|
6. Cgroups for memory and PID utilization control
|
||||||
|
|
||||||
|
***
|
||||||
### Which use-cases are supported
|
### Which use-cases are supported
|
||||||
#### Isolation of network services (inetd style)
|
#### Isolation of network services (inetd style)
|
||||||
|
|
||||||
@ -174,6 +177,7 @@ $ exit
|
|||||||
[2017-01-15T21:53:17+0100] PID: 18873 exited with status: 159, (PIDs left: 0)
|
[2017-01-15T21:53:17+0100] PID: 18873 exited with status: 159, (PIDs left: 0)
|
||||||
</pre>
|
</pre>
|
||||||
|
|
||||||
|
***
|
||||||
### More info
|
### More info
|
||||||
|
|
||||||
The options should be self-explanatory, and these are available with:
|
The options should be self-explanatory, and these are available with:
|
||||||
@ -327,6 +331,7 @@ Options:
|
|||||||
nsjail -Me --chroot / --disable_proc -- /bin/echo "ABC"
|
nsjail -Me --chroot / --disable_proc -- /bin/echo "ABC"
|
||||||
</pre>
|
</pre>
|
||||||
|
|
||||||
|
***
|
||||||
### Launching in Docker
|
### Launching in Docker
|
||||||
|
|
||||||
To launch nsjail in a docker container clone the repository and build the docker image:
|
To launch nsjail in a docker container clone the repository and build the docker image:
|
||||||
|
Loading…
Reference in New Issue
Block a user