- Overview
- What forms of isolation does it provide
- Which use-cases are supported
- Examples of use
- Configuration file
- More info
- Launching in Docker
- Contact
This is NOT an official Google product.
Overview
NsJail is a process isolation tool for Linux. It utilizes Linux namespace subsystem, resource limits, and the seccomp-bpf syscall filters of the Linux kernel.
It can help you with (among other things):
- Isolating networking services (e.g. web, time, DNS), by isolating them from the rest of the OS
- Hosting computer security challenges (so-called CTFs)
- Containing invasive syscall-level OS fuzzers
Features:
- Offers three distinct operational modes. See this section for more info.
- Utilizes kafel seccomp-bpf configuration language for flexible syscall policy definitions.
- Uses expressive, ProtoBuf-based configuration file
- It's rock-solid.
What forms of isolation does it provide
- Linux namespaces: UTS (hostname), MOUNT (chroot), PID (separate PID tree), IPC, NET (separate networking context), USER, CGROUPS
- FS constraints: chroot(), pivot_root(), RO-remounting, custom
/procandtmpfsmount points - Resource limits (wall-time/CPU time limits, VM/mem address space limits, etc.)
- Programmable seccomp-bpf syscall filters (through the kafel language)
- Cloned and isolated Ethernet interfaces
- Cgroups for memory and PID utilization control
Which use-cases are supported
Isolation of network services (inetd style)
PS: You'll need to have a valid file-system tree in /chroot. If you don't have it, change /chroot to /
- Server:
- Client:
Isolation with access to a private, cloned interface (requires root/setuid)
PS: You'll need to have a valid file-system tree in /chroot. If you don't have it, change /chroot to /
Isolation of local processes
PS: You'll need to have a valid file-system tree in /chroot. If you don't have it, change /chroot to /
Isolation of local processes (and re-running them, if necessary)
PS: You'll need to have a valid file-system tree in /chroot. If you don't have it, change /chroot to /
Bash in a minimal file-system with uid==0 and access to /dev/urandom only
/usr/bin/find in a minimal file-system (only /usr/bin/find accessible from /usr/bin)
Using /etc/subuid
Even more contrained shell (with seccomp-bpf policies)
Configuration file
You will also find all examples in the configs directory.
config.proto contains ProtoBuf schema for nsjail's configuration format.
You can examine an example config file in configs/bash-with-fake-geteuid.cfg.
Usage:
You can also override certain options with command-line options. Here, the executed binary (/bin/bash) is overriden with /usr/bin/id, yet options from configs/bash-with-fake-geteuid.cfg still apply
You might also want to try using configs/home-documents-with-xorg-no-net.cfg.
The configs/firefox-with-net.cfg
config file will allow you to run firefox inside a sandboxed environment:
A more complex setup, which utilizes virtualized (cloned) Ethernet
interfaces (to separate it from the main network namespace), can be
found in configs/firefox-with-cloned-net.cfg.
Remember to change relevant UIDs and Ethernet interface names before use.
As using cloned Ethernet interfaces (MACVTAP) required root privileges, you'll
have to run it under sudo:
More info
The command-line options should be self-explanatory, while the proto-buf config options are described in config.proto
Launching in Docker
To launch nsjail in a docker container clone the repository and build the docker image:
This will build up an image containing njsail and kafel.
From now you can either use it in another Dockerfile (FROM nsjailcontainer) or directly:
Contact
- User mailing list: nsjail@googlegroups.com, sign up with this link