298 lines
10 KiB
Groff
298 lines
10 KiB
Groff
.TH NSJAIL "1" "August 2017" "nsjail" "User Commands"
|
|
\"
|
|
.SH NAME
|
|
nsjail \- process isolation tool for linux
|
|
\"
|
|
.SH SYNOPSIS
|
|
\fInsjail\fP [options] \fB\-\-\fR path_to_command [args]
|
|
\"
|
|
.SH DESCRIPTION
|
|
NsJail is a process isolation tool for Linux. It utilizes Linux namespace subsystem, resource limits, and the seccomp-bpf syscall filters of the Linux kernel
|
|
\"
|
|
.SH Options
|
|
.TP
|
|
\fB\-\-help\fR|\fB\-h\fR Help plz..
|
|
.TP
|
|
\fB\-\-mode\fR|\fB\-M\fR VALUE
|
|
Execution mode (default: o [MODE_STANDALONE_ONCE]):
|
|
.IP
|
|
\fBl\fR: Wait for connections on a TCP port (specified with \fB\-\-port\fR) [MODE_LISTEN_TCP]
|
|
.PP
|
|
.IP
|
|
\fBo\fR: Launch a single process on the console using clone/execve [MODE_STANDALONE_ONCE]
|
|
.PP
|
|
.IP
|
|
\fBe\fR: Launch a single process on the console using execve [MODE_STANDALONE_EXECVE]
|
|
.PP
|
|
.IP
|
|
\fBr\fR: Launch a single process on the console with clone/execve, keep doing it forever [MODE_STANDALONE_RERUN]
|
|
.PP
|
|
.TP
|
|
\fB\-\-config\fR|\fB\-C\fR VALUE
|
|
Configuration file in the config.proto ProtoBuf format (see configs/ directory for examples)
|
|
.TP
|
|
\fB\-\-exec_file\fR|\fB\-x\fR VALUE
|
|
File to exec (default: argv[0])
|
|
.TP
|
|
\fB\-\-execute_fd\fR
|
|
Use execveat() to execute a file-descriptor instead of executing the binary path. In such case argv[0]/exec_file denotes a file path before mount namespacing
|
|
.TP
|
|
\fB\-\-chroot\fR|\fB\-c\fR VALUE
|
|
Directory containing / of the jail (default: none)
|
|
.TP
|
|
\fB\-\-rw\fR
|
|
Mount chroot dir (/) R/W (default: R/O)
|
|
.TP
|
|
\fB\-\-user\fR|\fB\-u\fR VALUE
|
|
Username/uid of processess inside the jail (default: your current uid). You can also use inside_ns_uid:outside_ns_uid:count convention here. Can be specified multiple times
|
|
.TP
|
|
\fB\-\-group\fR|\fB\-g\fR VALUE
|
|
Groupname/gid of processess inside the jail (default: your current gid). You can also use inside_ns_gid:global_ns_gid:count convention here. Can be specified multiple times
|
|
.TP
|
|
\fB\-\-hostname\fR|\fB\-H\fR VALUE
|
|
UTS name (hostname) of the jail (default: 'NSJAIL')
|
|
.TP
|
|
\fB\-\-cwd\fR|\fB\-D\fR VALUE
|
|
Directory in the namespace the process will run (default: '/')
|
|
.TP
|
|
\fB\-\-port\fR|\fB\-p\fR VALUE
|
|
TCP port to bind to (enables MODE_LISTEN_TCP) (default: 0)
|
|
.TP
|
|
\fB\-\-bindhost\fR VALUE
|
|
IP address to bind the port to (only in [MODE_LISTEN_TCP]), (default: '::')
|
|
.TP
|
|
\fB\-\-max_conns_per_ip\fR|\fB\-i\fR VALUE
|
|
Maximum number of connections per one IP (only in [MODE_LISTEN_TCP]), (default: 0 (unlimited))
|
|
.TP
|
|
\fB\-\-log\fR|\fB\-l\fR VALUE
|
|
Log file (default: use log_fd)
|
|
.TP
|
|
\fB\-\-log_fd\fR|\fB\-L\fR VALUE
|
|
Log FD (default: 2)
|
|
.TP
|
|
\fB\-\-time_limit\fR|\fB\-t\fR VALUE
|
|
Maximum time that a jail can exist, in seconds (default: 600)
|
|
.TP
|
|
\fB\-\-max_cpus\fR VALUE
|
|
Maximum number of CPUs a single jailed process can use (default: 0 'no limit')
|
|
.TP
|
|
\fB\-\-daemon\fR|\fB\-d\fR
|
|
Daemonize after start
|
|
.TP
|
|
\fB\-\-verbose\fR|\fB\-v\fR
|
|
Verbose output
|
|
.TP
|
|
\fB\-\-quiet\fR|\fB\-q\fR
|
|
Log warning and more important messages only
|
|
.TP
|
|
\fB\-\-really_quiet\fR|\fB\-Q\fR
|
|
Log fatal messages only
|
|
.TP
|
|
\fB\-\-keep_env\fR|\fB\-e\fR
|
|
Pass all environment variables be passed process (default: all envvars are cleared)
|
|
.TP
|
|
\fB\-\-env\fR|\fB\-E\fR VALUE
|
|
Additional environment variable (can be used multiple times). If the envvar doesn't contain '=' (e.g. just the 'DISPLAY' string), the current envvar value will be used
|
|
.TP
|
|
\fB\-\-keep_caps\fR
|
|
Don't drop any capabilities
|
|
.TP
|
|
\fB\-\-cap\fR VALUE
|
|
Retain this capability, e.g. CAP_PTRACE (can be specified multiple times)
|
|
.TP
|
|
\fB\-\-silent\fR
|
|
Redirect child process' fd:0/1/2 to /dev/null
|
|
.TP
|
|
\fB\-\-stderr_to_null\fR
|
|
Redirect FD=2 (STDERR_FILENO) to /dev/null
|
|
.TP
|
|
\fB\-\-skip_setsid\fR
|
|
Don't call setsid(), allows for terminal signal handling in the sandboxed process. Dangerous
|
|
.TP
|
|
\fB\-\-pass_fd\fR VALUE
|
|
Don't close this FD before executing the child process (can be specified multiple times), by default: 0/1/2 are kept open
|
|
.TP
|
|
\fB\-\-disable_no_new_privs\fR
|
|
Don't set the prctl(NO_NEW_PRIVS, 1) (DANGEROUS)
|
|
.TP
|
|
\fB\-\-rlimit_as\fR VALUE
|
|
RLIMIT_AS in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM_INFINITY (default: 512)
|
|
.TP
|
|
\fB\-\-rlimit_core\fR VALUE
|
|
RLIMIT_CORE in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current limit, 'inf' for RLIM_INFINITY (default: 0)
|
|
.TP
|
|
\fB\-\-rlimit_cpu\fR VALUE
|
|
RLIMIT_CPU, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM_INFINITY (default: 600)
|
|
.TP
|
|
\fB\-\-rlimit_fsize\fR VALUE
|
|
RLIMIT_FSIZE in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM_INFINITY (default: 1)
|
|
.TP
|
|
\fB\-\-rlimit_nofile\fR VALUE
|
|
RLIMIT_NOFILE, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current limit, 'inf' for RLIM_INFINITY (default: 32)
|
|
.TP
|
|
\fB\-\-rlimit_nproc\fR VALUE
|
|
RLIMIT_NPROC, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM_INFINITY (default: 'soft')
|
|
.TP
|
|
\fB\-\-rlimit_stack\fR VALUE
|
|
RLIMIT_STACK in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM_INFINITY (default: 'soft')
|
|
.TP
|
|
\fB\-\-disable_rlimits\fR
|
|
Disable all rlimits, default to limits set by parent
|
|
.TP
|
|
\fB\-\-persona_addr_compat_layout\fR
|
|
personality(ADDR_COMPAT_LAYOUT)
|
|
.TP
|
|
\fB\-\-persona_mmap_page_zero\fR
|
|
personality(MMAP_PAGE_ZERO)
|
|
.TP
|
|
\fB\-\-persona_read_implies_exec\fR
|
|
personality(READ_IMPLIES_EXEC)
|
|
.TP
|
|
\fB\-\-persona_addr_limit_3gb\fR
|
|
personality(ADDR_LIMIT_3GB)
|
|
.TP
|
|
\fB\-\-persona_addr_no_randomize\fR
|
|
personality(ADDR_NO_RANDOMIZE)
|
|
.TP
|
|
\fB\-\-disable_clone_newnet\fR|\-N
|
|
Don't use CLONE_NEWNET. Enable global networking inside the jail
|
|
.TP
|
|
\fB\-\-disable_clone_newuser\fR
|
|
Don't use CLONE_NEWUSER. Requires euid==0
|
|
.TP
|
|
\fB\-\-disable_clone_newns\fR
|
|
Don't use CLONE_NEWNS
|
|
.TP
|
|
\fB\-\-disable_clone_newpid\fR
|
|
Don't use CLONE_NEWPID
|
|
.TP
|
|
\fB\-\-disable_clone_newipc\fR
|
|
Don't use CLONE_NEWIPC
|
|
.TP
|
|
\fB\-\-disable_clone_newuts\fR
|
|
Don't use CLONE_NEWUTS
|
|
.TP
|
|
\fB\-\-disable_clone_newcgroup\fR
|
|
Don't use CLONE_NEWCGROUP. Might be required for kernel versions < 4.6
|
|
.TP
|
|
\fB\-\-uid_mapping\fR|\fB\-U\fR VALUE
|
|
Add a custom uid mapping of the form inside_uid:outside_uid:count. Setting this requires newuidmap (set-uid) to be present
|
|
.TP
|
|
\fB\-\-gid_mapping\fR|\fB\-G\fR VALUE
|
|
Add a custom gid mapping of the form inside_gid:outside_gid:count. Setting this requires newgidmap (set-uid) to be present
|
|
.TP
|
|
\fB\-\-bindmount_ro\fR|\fB\-R\fR VALUE
|
|
List of mountpoints to be mounted \fB\-\-bind\fR (ro) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'
|
|
.TP
|
|
\fB\-\-bindmount\fR|\fB\-B\fR VALUE
|
|
List of mountpoints to be mounted \fB\-\-bind\fR (rw) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'
|
|
.TP
|
|
\fB\-\-tmpfsmount\fR|\fB\-T\fR VALUE
|
|
List of mountpoints to be mounted as tmpfs (R/W) inside the container. Can be specified multiple times. Supports 'dest' syntax. Alternatively, use '-m none:dest:tmpfs:size=8388608'
|
|
.TP
|
|
\fB\-\-mount\fR|\fB\-m\fR VALUE
|
|
Arbitrary mount, format src:dst:fs_type:options
|
|
.TP
|
|
\fB\-\-symlink\fR|\f\B\-s\fR VALUE
|
|
Symlink, format src:dst
|
|
.TP
|
|
\fB\-\-disable_proc\fR
|
|
Disable mounting procfs in the jail
|
|
.TP
|
|
\fB\-\-proc_path\fR VALUE
|
|
Path used to mount procfs (default: '/proc')
|
|
.TP
|
|
\fB\-\-proc_rw\fR
|
|
Is procfs mounted as R/W (default: R/O)
|
|
.TP
|
|
\fB\-\-seccomp_policy\fR|\fB\-P\fR VALUE
|
|
Path to file containing seccomp\-bpf policy (see kafel/)
|
|
.TP
|
|
\fB\-\-seccomp_string\fR VALUE
|
|
String with kafel seccomp\-bpf policy (see kafel/)
|
|
.TP
|
|
\fB\-\-seccomp_log\fR
|
|
Use SECCOMP_FILTER_FLAG_LOG. Log all actions except SECCOMP_RET_ALLOW. Supported since kernel version 4.14
|
|
.TP
|
|
\fB\-\-cgroup_mem_max\fR VALUE
|
|
Maximum number of bytes to use in the group (default: '0' \- disabled)
|
|
.TP
|
|
\fB\-\-cgroup_mem_mount\fR VALUE
|
|
Location of memory cgroup FS (default: '/sys/fs/cgroup/memory')
|
|
.TP
|
|
\fB\-\-cgroup_mem_parent\fR VALUE
|
|
Which pre\-existing memory cgroup to use as a parent (default: 'NSJAIL')
|
|
.TP
|
|
\fB\-\-cgroup_pids_max\fR VALUE
|
|
Maximum number of pids in a cgroup (default: '0' \- disabled)
|
|
.TP
|
|
\fB\-\-cgroup_pids_mount\fR VALUE
|
|
Location of pids cgroup FS (default: '/sys/fs/cgroup/pids')
|
|
.TP
|
|
\fB\-\-cgroup_pids_parent\fR VALUE
|
|
Which pre\-existing pids cgroup to use as a parent (default: 'NSJAIL')
|
|
.TP
|
|
\fB\-\-cgroup_net_cls_classid\fR VALUE
|
|
Class identifier of network packets in the group (default: '0' \- disabled)
|
|
.TP
|
|
\fB\-\-cgroup_net_cls_mount\fR VALUE
|
|
Location of net_cls cgroup FS (default: '/sys/fs/cgroup/net_cls')
|
|
.TP
|
|
\fB\-\-cgroup_net_cls_parent\fR VALUE
|
|
Which pre\-existing net_cls cgroup to use as a parent (default: 'NSJAIL')
|
|
.TP
|
|
\fB\-\-cgroup_cpu_ms_per_sec\fR VALUE
|
|
Number of milliseconds of CPU time per second that the process group can use (default: '0' - no limit)
|
|
.TP
|
|
\fB\-\-cgroup_cpu_mount\fR VALUE
|
|
Location of cpu cgroup FS (default: '/sys/fs/cgroup/net_cls')
|
|
.TP
|
|
\fB\-\-cgroup_cpu_parent\fR VALUE
|
|
Which pre-existing cpu cgroup to use as a parent (default: 'NSJAIL')
|
|
.TP
|
|
\fB\-\-cgroupv2_mount\fR VALUE
|
|
Location of cgroup v2 directory (default: '/sys/fs/cgroup')
|
|
.TP
|
|
\fB\-\-use_cgroupv2\fR
|
|
Use cgroup v2
|
|
.TP
|
|
\fB\-\-iface_no_lo\fR
|
|
Don't bring the 'lo' interface up
|
|
.TP
|
|
\fB\-\-iface_own\fR VALUE
|
|
Move this existing network interface into the new NET namespace. Can be specified multiple times
|
|
.TP
|
|
\fB\-\-macvlan_iface\fR|\fB\-I\fR VALUE
|
|
Interface which will be cloned (MACVLAN) and put inside the subprocess' namespace as 'vs'
|
|
.TP
|
|
\fB\-\-macvlan_vs_ip\fR VALUE
|
|
IP of the 'vs' interface (e.g. "192.168.0.1")
|
|
.TP
|
|
\fB\-\-macvlan_vs_nm\fR VALUE
|
|
Netmask of the 'vs' interface (e.g. "255.255.255.0")
|
|
.TP
|
|
\fB\-\-macvlan_vs_gw\fR VALUE
|
|
Default GW for the 'vs' interface (e.g. "192.168.0.1")
|
|
.TP
|
|
\fB\-\-macvlan_vs_ma\fR VALUE
|
|
MAC-address of the 'vs' interface (e.g. "ba:ad:ba:be:45:00")
|
|
\"
|
|
.SH Examples
|
|
.PP
|
|
Wait on a port 31337 for connections, and run /bin/sh:
|
|
.IP
|
|
nsjail \-Ml \-\-port 31337 \-\-chroot / \-\- /bin/sh \-i
|
|
.PP
|
|
Re\-run echo command as a sub\-process:
|
|
.IP
|
|
nsjail \-Mr \-\-chroot / \-\- /bin/echo "ABC"
|
|
.PP
|
|
Run echo command once only, as a sub\-process:
|
|
.IP
|
|
nsjail \-Mo \-\-chroot / \-\- /bin/echo "ABC"
|
|
.PP
|
|
Execute echo command directly, without a supervising process:
|
|
.IP
|
|
nsjail \-Me \-\-chroot / \-\-disable_proc \-\- /bin/echo "ABC"
|
|
\"
|