make indent
1 file changed
tree: 188caf75d538850943144a65451384376ca012ec
  1. configs/
  2. .gitignore
  3. .gitmodules
  4. caps.cc
  5. caps.h
  6. cgroup.cc
  7. cgroup.h
  8. cmdline.cc
  9. cmdline.h
  10. config.cc
  11. config.h
  12. config.proto
  13. contain.cc
  14. contain.h
  15. CONTRIBUTING
  16. cpu.cc
  17. cpu.h
  18. Dockerfile
  19. LICENSE
  20. logs.cc
  21. logs.h
  22. macros.h
  23. Makefile
  24. mnt.cc
  25. mnt.h
  26. net.cc
  27. net.h
  28. nsjail.1
  29. nsjail.cc
  30. nsjail.h
  31. pid.cc
  32. pid.h
  33. README.md
  34. sandbox.cc
  35. sandbox.h
  36. subproc.cc
  37. subproc.h
  38. user.cc
  39. user.h
  40. util.cc
  41. util.h
  42. uts.cc
  43. uts.h
README.md

This is NOT an official Google product.


Overview

NsJail is a process isolation tool for Linux. It utilizes Linux namespace subsystem, resource limits, and the seccomp-bpf syscall filters of the Linux kernel.

It can help you with (among other things):

  • Isolating networking services (e.g. web, time, DNS), by isolating them from the rest of the OS
  • Hosting computer security challenges (so-called CTFs)
  • Containing invasive syscall-level OS fuzzers

Features:


What forms of isolation does it provide

  1. Linux namespaces: UTS (hostname), MOUNT (chroot), PID (separate PID tree), IPC, NET (separate networking context), USER, CGROUPS
  2. FS constraints: chroot(), pivot_root(), RO-remounting, custom /proc and tmpfs mount points
  3. Resource limits (wall-time/CPU time limits, VM/mem address space limits, etc.)
  4. Programmable seccomp-bpf syscall filters (through the kafel language)
  5. Cloned and isolated Ethernet interfaces
  6. Cgroups for memory and PID utilization control

Which use-cases are supported

Isolation of network services (inetd style)

PS: You‘ll need to have a valid file-system tree in /chroot. If you don’t have it, change /chroot to /

  • Server:
  • Client:

Isolation with access to a private, cloned interface (requires root/setuid)

PS: You‘ll need to have a valid file-system tree in /chroot. If you don’t have it, change /chroot to /

Isolation of local processes

PS: You‘ll need to have a valid file-system tree in /chroot. If you don’t have it, change /chroot to /

Isolation of local processes (and re-running them, if necessary)

PS: You‘ll need to have a valid file-system tree in /chroot. If you don’t have it, change /chroot to /

Bash in a minimal file-system with uid==0 and access to /dev/urandom only

/usr/bin/find in a minimal file-system (only /usr/bin/find accessible from /usr/bin)

Using /etc/subuid

Even more contrained shell (with seccomp-bpf policies)


Configuration file

You will also find all examples in the configs directory.


config.proto contains ProtoBuf schema for nsjail's configuration format.


You can examine an example config file in configs/bash-with-fake-geteuid.cfg.

Usage:

You can also override certain options with command-line options. Here, the executed binary (/bin/bash) is overriden with /usr/bin/id, yet options from configs/bash-with-fake-geteuid.cfg still apply


You might also want to try using configs/home-documents-with-xorg-no-net.cfg.


The configs/firefox-with-net.cfg config file will allow you to run firefox inside a sandboxed environment:

A more complex setup, which utilizes virtualized (cloned) Ethernet interfaces (to separate it from the main network namespace), can be found in configs/firefox-with-cloned-net.cfg. Remember to change relevant UIDs and Ethernet interface names before use.

As using cloned Ethernet interfaces (MACVTAP) required root privileges, you'll have to run it under sudo:


More info

The command-line options should be self-explanatory, while the proto-buf config options are described in config.proto


Launching in Docker

To launch nsjail in a docker container clone the repository and build the docker image:

This will build up an image containing njsail and kafel.

From now you can either use it in another Dockerfile (FROM nsjailcontainer) or directly:


Contact