Bug: 122472777

Clone this repo:
  1. e23b43f Merge remote-tracking branch 'aosp/upstream-master' by Dan Willemsen · 2 years, 9 months ago main master
  2. 6483728 config: better config parsing debugging by Robert Swiecki · 2 years, 9 months ago
  3. e678c25 Merge pull request #193 from 243f6a8885a308d313198a2e037/fix/20220223_typo_siutime by robertswiecki · 2 years, 10 months ago
  4. 472932c subproc.cc: fix typo: SiUime -> SiUtime by 243f6a8885a308d313198a2e037 · 2 years, 10 months ago
  5. 91d5c98 log.h: no need to use __PRETTY_FUNCTION__ as it makes it harder to read log messages, just __FUNCTION__ should be 'good enough' for debugging by Robert Swiecki · 2 years, 10 months ago

This is NOT an official Google product.


Overview

NsJail is a process isolation tool for Linux. It utilizes Linux namespace subsystem, resource limits, and the seccomp-bpf syscall filters of the Linux kernel.

It can help you with (among other things):

  • Isolating networking services (e.g. web, time, DNS), by isolating them from the rest of the OS
  • Hosting computer security challenges (so-called CTFs)
  • Containing invasive syscall-level OS fuzzers

Features:


What forms of isolation does it provide

  1. Linux namespaces: UTS (hostname), MOUNT (chroot), PID (separate PID tree), IPC, NET (separate networking context), USER, CGROUPS
  2. FS constraints: chroot(), pivot_root(), RO-remounting, custom /proc and tmpfs mount points
  3. Resource limits (wall-time/CPU time limits, VM/mem address space limits, etc.)
  4. Programmable seccomp-bpf syscall filters (through the kafel language)
  5. Cloned and isolated Ethernet interfaces
  6. Cgroups for memory and PID utilization control

Which use-cases are supported

Isolation of network services (inetd style)

PS: You‘ll need to have a valid file-system tree in /chroot. If you don’t have it, change /chroot to /

  • Server:
  • Client:

Isolation with access to a private, cloned interface (requires root/setuid)

PS: You‘ll need to have a valid file-system tree in /chroot. If you don’t have it, change /chroot to /

Isolation of local processes

PS: You‘ll need to have a valid file-system tree in /chroot. If you don’t have it, change /chroot to /

Isolation of local processes (and re-running them, if necessary)

PS: You‘ll need to have a valid file-system tree in /chroot. If you don’t have it, change /chroot to /

Bash in a minimal file-system with uid==0 and access to /dev/urandom only

/usr/bin/find in a minimal file-system (only /usr/bin/find accessible from /usr/bin)

Using /etc/subuid

Even more contrained shell (with seccomp-bpf policies)


Configuration file

You will also find all examples in the configs directory.


config.proto contains ProtoBuf schema for nsjail's configuration format.


You can examine an example config file in configs/bash-with-fake-geteuid.cfg.

Usage:

You can also override certain options with command-line options. Here, the executed binary (/bin/bash) is overriden with /usr/bin/id, yet options from configs/bash-with-fake-geteuid.cfg still apply


You might also want to try using configs/home-documents-with-xorg-no-net.cfg.


The configs/firefox-with-net.cfg config file will allow you to run firefox inside a sandboxed environment:

A more complex setup, which utilizes virtualized (cloned) Ethernet interfaces (to separate it from the main network namespace), can be found in configs/firefox-with-cloned-net.cfg. Remember to change relevant UIDs and Ethernet interface names before use.

As using cloned Ethernet interfaces (MACVTAP) required root privileges, you'll have to run it under sudo:


More info

The command-line options should be self-explanatory, while the proto-buf config options are described in config.proto


Launching in Docker

To launch nsjail in a docker container clone the repository and build the docker image:

This will build up an image containing njsail and kafel.

From now you can either use it in another Dockerfile (FROM nsjailcontainer) or directly:


Contact