Google Git
Sign in
android / platform / external / nsjail / refs/heads/master
commita25cd900710305660a653c6b63d76286d8d6cdfe[log] [tgz]
authorDan Willemsen <dwillemsen@google.com>Mon Feb 11 14:11:13 2019 -0800
committerDan Willemsen <dwillemsen@google.com>Mon Feb 11 14:48:35 2019 -0800
tree2a953a7049bdc01b2bd21e03e429765925be6b66
parent3de13eeda716244ac196b5a501f98c98bc3947d0 [diff]
Revert hacks needed for old glibc

We've upgraded our glibc sysroot, so these now compile.

Test: treehugger
Change-Id: I8af49b3db7573a5a00cb92f884e5f428a76377cd
2 files changed
tree: 2a953a7049bdc01b2bd21e03e429765925be6b66
  1. .gitignore
  2. Android.bp
  3. CONTRIBUTING
  4. Dockerfile
  5. LICENSE
  6. METADATA
  7. MODULE_LICENSE_APACHE2
  8. Makefile
  9. NOTICELICENSE
  10. OWNERS
  11. README.md
  12. caps.cc
  13. caps.h
  14. cgroup.cc
  15. cgroup.h
  16. cmdline.cc
  17. cmdline.h
  18. config.cc
  19. config.h
  20. config.proto
  21. configs/
  22. contain.cc
  23. contain.h
  24. cpu.cc
  25. cpu.h
  26. logs.cc
  27. logs.h
  28. macros.h
  29. mnt.cc
  30. mnt.h
  31. net.cc
  32. net.h
  33. nsjail.1
  34. nsjail.cc
  35. nsjail.h
  36. pid.cc
  37. pid.h
  38. sandbox.cc
  39. sandbox.h
  40. sandbox_no_kafel.cc
  41. subproc.cc
  42. subproc.h
  43. user.cc
  44. user.h
  45. util.cc
  46. util.h
  47. uts.cc
  48. uts.h
README.md

This is NOT an official Google product.

Overview

NsJail is a process isolation tool for Linux. It utilizes Linux namespace subsystem, resource limits, and the seccomp-bpf syscall filters of the Linux kernel.

It can help you with (among other things):

  • Isolating networking services (e.g. web, time, DNS), by isolating them from the rest of the OS
  • Hosting computer security challenges (so-called CTFs)
  • Containing invasive syscall-level OS fuzzers

Features:

What forms of isolation does it provide

  1. Linux namespaces: UTS (hostname), MOUNT (chroot), PID (separate PID tree), IPC, NET (separate networking context), USER, CGROUPS
  2. FS constraints: chroot(), pivot_root(), RO-remounting, custom /proc and tmpfs mount points
  3. Resource limits (wall-time/CPU time limits, VM/mem address space limits, etc.)
  4. Programmable seccomp-bpf syscall filters (through the kafel language)
  5. Cloned and isolated Ethernet interfaces
  6. Cgroups for memory and PID utilization control

Which use-cases are supported

Isolation of network services (inetd style)

PS: You‘ll need to have a valid file-system tree in /chroot. If you don’t have it, change /chroot to /

  • Server:
  • Client:

Isolation with access to a private, cloned interface (requires root/setuid)

PS: You‘ll need to have a valid file-system tree in /chroot. If you don’t have it, change /chroot to /

Isolation of local processes

PS: You‘ll need to have a valid file-system tree in /chroot. If you don’t have it, change /chroot to /

Isolation of local processes (and re-running them, if necessary)

PS: You‘ll need to have a valid file-system tree in /chroot. If you don’t have it, change /chroot to /

Bash in a minimal file-system with uid==0 and access to /dev/urandom only

/usr/bin/find in a minimal file-system (only /usr/bin/find accessible from /usr/bin)

Using /etc/subuid

Even more contrained shell (with seccomp-bpf policies)

Configuration file

You will also find all examples in the configs directory.

config.proto contains ProtoBuf schema for nsjail's configuration format.

You can examine an example config file in configs/bash-with-fake-geteuid.cfg.

Usage:

You can also override certain options with command-line options. Here, the executed binary (/bin/bash) is overriden with /usr/bin/id, yet options from configs/bash-with-fake-geteuid.cfg still apply

You might also want to try using configs/home-documents-with-xorg-no-net.cfg.

The configs/firefox-with-net.cfg config file will allow you to run firefox inside a sandboxed environment:

A more complex setup, which utilizes virtualized (cloned) Ethernet interfaces (to separate it from the main network namespace), can be found in configs/firefox-with-cloned-net.cfg. Remember to change relevant UIDs and Ethernet interface names before use.

As using cloned Ethernet interfaces (MACVTAP) required root privileges, you'll have to run it under sudo:

More info

The command-line options should be self-explanatory, while the proto-buf config options are described in config.proto

Launching in Docker

To launch nsjail in a docker container clone the repository and build the docker image:

This will build up an image containing njsail and kafel.

From now you can either use it in another Dockerfile (FROM nsjailcontainer) or directly:

Contact