| seccomp | ||
| cmdline.c | ||
| cmdline.h | ||
| common.h | ||
| contain.c | ||
| contain.h | ||
| CONTRIBUTING | ||
| LICENSE | ||
| log.c | ||
| log.h | ||
| Makefile | ||
| net.c | ||
| net.h | ||
| nsjail.c | ||
| nsjail.h | ||
| README.md | ||
| sandbox.c | ||
| sandbox.h | ||
| subproc.c | ||
| subproc.h | ||
WHAT IS IT?
NsJail is a Linux isolation tool making use of the namespacing and seccomp-bpf subsystems of the Linux kernel.
WHAT KIND OF ISOLATION DOES IT PROVIDE?
- Linux namespaces: UTS, MOUNT, PID, IPC, NET, USER (optional)
- FS chroot-ing (chroot()/pivot_root())
- Seccomp-bpf syscall filters
WHAT USE-CASES DOES IT COVER?
- Isolating networking daemons (inetd-style)
-
Server: $ ./nsjail -Ml --port 9000 --chroot /chroot/ --user 99999 --group 99999 -- /bin/sh -i
-
Client: $ nc 127.0.0.1 9000 / $ ifconfig / $ ifconfig -a lo Link encap:Local Loopback LOOPBACK MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
- Isolating local processes (run it once, and exit)
$ ./nsjail -Mo --chroot /chroot/ --user 99999 --group 99999 -- /bin/sh -i / $ ifconfig -a lo Link encap:Local Loopback LOOPBACK MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) / $ id uid=99999 gid=99999 / $exit $
- Isolating local processes (and re-running them)
$ ./nsjail -Mr --chroot /chroot/ --user 99999 --group 99999 -- /bin/sh -i BusyBox v1.21.1 (Ubuntu 1:1.21.0-1ubuntu1) built-in shell (ash) Enter 'help' for a list of built-in commands. / $ exit BusyBox v1.21.1 (Ubuntu 1:1.21.0-1ubuntu1) built-in shell (ash) Enter 'help' for a list of built-in commands. / $
MORE INFO?
Type: './nsjail --help' - cmd-line switches are well-documented