seccomp | ||
cmdline.c | ||
cmdline.h | ||
common.h | ||
contain.c | ||
contain.h | ||
CONTRIBUTING | ||
LICENSE | ||
log.c | ||
log.h | ||
Makefile | ||
net.c | ||
net.h | ||
nsjail.c | ||
nsjail.h | ||
README.md | ||
sandbox.c | ||
sandbox.h | ||
subproc.c | ||
subproc.h |
WHAT IS IT?
NsJail is a Linux isolation tool making use of the namespacing and seccomp-bpf subsystems of the Linux kernel.
This is NOT an official Google product.
WHAT KIND OF ISOLATION DOES IT PROVIDE?
- Linux namespaces: UTS, MOUNT, PID, IPC, NET, USER (optional)
- FS chroot-ing (chroot()/pivot_root())
- Seccomp-bpf syscall filters
WHAT USE-CASES DOES IT COVER?
- Isolating networking daemons (inetd-style)
-
Server: $ ./nsjail -Ml --port 9000 --chroot /chroot/ --user 99999 --group 99999 -- /bin/sh -i
-
Client: $ nc 127.0.0.1 9000 / $ ifconfig / $ ifconfig -a lo Link encap:Local Loopback LOOPBACK MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
- Isolating local processes (run it once, and exit)
$ ./nsjail -Mo --chroot /chroot/ --user 99999 --group 99999 -- /bin/sh -i / $ ifconfig -a lo Link encap:Local Loopback LOOPBACK MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) / $ id uid=99999 gid=99999 / $exit $
- Isolating local processes (and re-running them)
$ ./nsjail -Mr --chroot /chroot/ --user 99999 --group 99999 -- /bin/sh -i BusyBox v1.21.1 (Ubuntu 1:1.21.0-1ubuntu1) built-in shell (ash) Enter 'help' for a list of built-in commands. / $ exit BusyBox v1.21.1 (Ubuntu 1:1.21.0-1ubuntu1) built-in shell (ash) Enter 'help' for a list of built-in commands. / $
MORE INFO?
Type: './nsjail --help' - cmd-line switches are well-documented