happyCoder92

nsjail always sets both soft and hard limits to the same value as supplied in the config. you can lower the soft/hard limit in the sandboxed process yourself.

The easiest way to run unmodified binary is to add `--disable_clone_newnet` to nsjail commandline (beware: it will use host netns then, so it will be less isolated).

Tuple errors seem to be an issue with an old compiler. The behavior of tuple ctors was changed by [n4387](http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2015/n4387.html) applied as defect report to C++11. Others should be fixed...

Actually the last errors are not tuple related but sill old compiler issues (https://gcc.gnu.org/bugzilla/show_bug.cgi?id=36750)

It's a neat idea. Just getting all the used syscalls is a good starting point, but may lead to lax policies. As an improvement we could have list of commonly...

If you're running as root you can try using `--disable_clone_newuser`. Or yet better as the warning message suggest compile in/enable unprivileged user namespace and run as non-root.

It's not currently supported. The problem here is nsjail will issue a x86_64 execve syscall, so you would need a seccomp policy that supports both archs. The easiest workaround is...

Hi! Are you still going to work on this one? Seems there are more users requesting it and it would be nice to merge it soon :)

Hi! I had a while to work on it and just commited multi-arch support. It still needs to be integrated with nsjail and perhaps exposed in new language constructs. Also...

Spliting the syscall database into separate library sounds like a good idea. It should be however fairly small and easily embeddable.