commit | e23b43f9f4d3810110070593aa6ff95ad1873cea | [log] [tgz] |
---|---|---|
author | Dan Willemsen <dwillemsen@google.com> | Mon Mar 28 23:59:21 2022 -0700 |
committer | Dan Willemsen <dwillemsen@google.com> | Tue Mar 29 00:00:55 2022 -0700 |
tree | 7d064ad9f086716dc3c1b333a9d426df4a496a09 | |
parent | b31ec2c09ec3143af016fd4319502292551f2b90 [diff] | |
parent | 6483728e2490c1fc497a81bba5682515eb489cf8 [diff] |
Merge remote-tracking branch 'aosp/upstream-master' Change-Id: Ide59a09d54b24cf4753fcba68c5280e2c2b7e068
This is NOT an official Google product.
NsJail is a process isolation tool for Linux. It utilizes Linux namespace subsystem, resource limits, and the seccomp-bpf syscall filters of the Linux kernel.
It can help you with (among other things):
Features:
/proc
and tmpfs
mount pointsPS: You‘ll need to have a valid file-system tree in /chroot
. If you don’t have it, change /chroot
to /
PS: You‘ll need to have a valid file-system tree in /chroot
. If you don’t have it, change /chroot
to /
PS: You‘ll need to have a valid file-system tree in /chroot
. If you don’t have it, change /chroot
to /
PS: You‘ll need to have a valid file-system tree in /chroot
. If you don’t have it, change /chroot
to /
You will also find all examples in the configs directory.
config.proto contains ProtoBuf schema for nsjail's configuration format.
You can examine an example config file in configs/bash-with-fake-geteuid.cfg.
Usage:
You can also override certain options with command-line options. Here, the executed binary (/bin/bash) is overriden with /usr/bin/id, yet options from configs/bash-with-fake-geteuid.cfg still apply
You might also want to try using configs/home-documents-with-xorg-no-net.cfg.
The configs/firefox-with-net.cfg config file will allow you to run firefox inside a sandboxed environment:
A more complex setup, which utilizes virtualized (cloned) Ethernet interfaces (to separate it from the main network namespace), can be found in configs/firefox-with-cloned-net.cfg. Remember to change relevant UIDs and Ethernet interface names before use.
As using cloned Ethernet interfaces (MACVTAP) required root privileges, you'll have to run it under sudo:
The command-line options should be self-explanatory, while the proto-buf config options are described in config.proto
To launch nsjail in a docker container clone the repository and build the docker image:
This will build up an image containing njsail and kafel.
From now you can either use it in another Dockerfile (FROM nsjailcontainer
) or directly: