|
|
||
|---|---|---|
| seccomp | ||
| cmdline.c | ||
| cmdline.h | ||
| common.h | ||
| contain.c | ||
| contain.h | ||
| CONTRIBUTING | ||
| LICENSE | ||
| log.c | ||
| log.h | ||
| Makefile | ||
| net.c | ||
| net.h | ||
| nsjail.c | ||
| nsjail.h | ||
| README.md | ||
| sandbox.c | ||
| sandbox.h | ||
| subproc.c | ||
| subproc.h | ||
WHAT IS IT?
NsJail is a Linux process isolation tool making use of the namespacing features, and seccomp-bpf filters of the Linux kernel
This is NOT an official Google product.
WHAT KIND OF ISOLATION DOES IT PROVIDE?
- Linux namespaces: UTS, MOUNT, PID, IPC, NET, USER (optional)
- FS chroot-ing: chroot(), pivot_root()
- Resource limits (CPU time, etc.)
- Seccomp-bpf syscall filters
WHAT USE-CASES DOES IT COVER?
Isolating networking daemons (inetd-style)
- Server:
$ ./nsjail -Ml --port 9000 --chroot /chroot/ --user 99999 --group 99999 -- /bin/sh -i
- Client:
$ nc 127.0.0.1 9000
/ $ ifconfig
/ $ ifconfig -a
lo Link encap:Local Loopback
LOOPBACK MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Isolating local processes (run it once, and exit)
$ ./nsjail -Mo --chroot /chroot/ --user 99999 --group 99999 -- /bin/sh -i
/ $ ifconfig -a
lo Link encap:Local Loopback
LOOPBACK MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
/ $ id
uid=99999 gid=99999
/ $exit
$
Isolating local processes (and re-running them)
$ ./nsjail -Mr --chroot /chroot/ --user 99999 --group 99999 -- /bin/sh -i
BusyBox v1.21.1 (Ubuntu 1:1.21.0-1ubuntu1) built-in shell (ash)
Enter 'help' for a list of built-in commands.
/ $ exit
BusyBox v1.21.1 (Ubuntu 1:1.21.0-1ubuntu1) built-in shell (ash)
Enter 'help' for a list of built-in commands.
/ $
MORE INFO?
Type:
./nsjail --help'
the commandline options are reasonably well-documented