nsjail
nsjail copied to clipboard
google
A lightweight process isolation tool that utilizes Linux namespaces, cgroups, rlimits and seccomp-bpf syscall filters, leveraging the Kafel BPF language for enhanced security.
If `/sys/fs/cgroup` is mounted inside the jail, the application can create new cgroups. Even though they cannot be entered, this could lead to resource exhaustion on the kernel's cgroups. Example:...
https://www.phoronix.com/scan.php?page=news_item&px=Linux-5.14-Core-Scheduling Linux 5.14 add support for core scheduling. Is it possible to add support for core scheduling in nsjail? My usecase is that I potentially have multiple nsjail instances running...
For example, when I run `nsjail` with `--use_cgroupv2 --cgroupv2_mount /sys/fs/cgroup/NSJAIL`, I still see errors like ``` writeBufToFile():95 Couldn't open '/sys/fs/cgroup/NSJAIL/NSJAIL.10/memory.max' for writing: No such file or directory ``` If I...
I would like to use nsjail to run a python script with limited permissions, e.g this script: ```py open("../a.txt", "w+") ``` I don't want the script to be able to...
Hi, I'm opening this issue to recommend a "build" section in the README with some brief instructions. Feel free to close it if that's duplicated anywhere. Context: I was trying...
I've been trying to use `nsjail` in `STANDALONE_EXECVE` mode along with `--execute_fd` since the binary to be executed doesn't exist in the chroot. Unfortunately, I'm finding that the same set...
It would be awesome if you could add support to join an existing namespaces 👍
I am not sure fi there is a setting that let nsjail to limit or just retain the most recent entries of nsjail logs and recycle the older data. It...
How can we configure seccomp-bpf for ELF32 executable launched by ELF64 nsjail? ``` $ file =nsjail /usr/local/google/home/ukai/bin/nsjail: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2,...
