nsjail
nsjail copied to clipboard
google
A lightweight process isolation tool that utilizes Linux namespaces, cgroups, rlimits and seccomp-bpf syscall filters, leveraging the Kafel BPF language for enhanced security.
Seems like it's possible to do ip packet filtering inside network namespaces. Not sure how something like this could be implemented, so just throwing it out there as an idea....
It would be nice to have a `--hashcash` option for `-Ml`, so that nsjail would generate a PoW challenge with configured difficulty. That would make it easier for hosting CTF...
Is there any plan to add report statistics of the execution? Something like the cpu and wall time elapsed, max memory usage, exit code, kill signal, etc. I think this...
Hello! I am looking for ideas on how to configure nsjail for Flask applications with RCE. My tests were unsuccessful trying to limit app.py or uwsgi, do you have any...
A useful feature would be to forward ports from inside nsjail to outside nsjail. Similar to LISTEN mode, but instead of brokering STDIN/STDOUT on the inside, it could broker a...
I want a `execve` to be blocked only on the subproccess NsJail creates. However, the seccomp filter seems to affect the NsJail process itself too. A seccomp violation is triggered...
I'm running the following command for a CTF binary `chal`. `chal` is basically an echo server, so after the following, I connect to it with netcat and get the last...
When I first saw `--chroot` with `--rw`, I was under the impression that if I do `--chroot /`, then the whole system is mounted RO, so nothing can be modified...
From my very coarse understanding of macvlan, it doesn't seem possible to use it if the adapter is virtualized or otherwise allow for multiple MAC addresses (e.g. on VMWare or...
I couldn't find a simple tool that defines the syscalls, permissions of a program, etc. I created this simple script, based on strace and grep, that get's a list of...
