{"id":13423571,"url":"https://github.com/google/nsjail","last_synced_at":"2025-04-23T20:54:18.728Z","repository":{"id":32066655,"uuid":"35638505","full_name":"google/nsjail","owner":"google","description":"A lightweight process isolation tool that utilizes Linux namespaces, cgroups, rlimits and seccomp-bpf syscall filters, leveraging the Kafel BPF language for enhanced security.","archived":false,"fork":false,"pushed_at":"2025-03-23T18:57:51.000Z","size":1455,"stargazers_count":3194,"open_issues_count":36,"forks_count":283,"subscribers_count":88,"default_branch":"master","last_synced_at":"2025-04-23T20:54:12.233Z","etag":null,"topics":["chroot","linux","linux-namespaces","process-isolation","seccomp-bpf-policies","security"],"latest_commit_sha":null,"homepage":"https://nsjail.dev","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/google.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2015-05-14T21:42:10.000Z","updated_at":"2025-04-22T08:57:52.000Z","dependencies_parsed_at":"2023-01-14T20:26:19.158Z","dependency_job_id":"21226d3d-6878-4beb-b264-402cd254dd94","html_url":"https://github.com/google/nsjail","commit_stats":{"total_commits":1125,"total_committers":55,"mean_commits":"20.454545454545453","dds":"0.21599999999999997","last_synced_commit":"a00a0efabc0c1bd44e24c798a19d6e46eefedb8d"},"previous_names":[],"tags_count":25,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fnsjail","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fnsjail/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fnsjail/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fnsjail/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/google","download_url":"https://codeload.github.com/google/nsjail/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250514767,"owners_count":21443208,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["chroot","linux","linux-namespaces","process-isolation","seccomp-bpf-policies","security"],"created_at":"2024-07-31T00:00:37.787Z","updated_at":"2025-04-23T20:54:18.712Z","avatar_url":"https://github.com/google.png","language":"C++","funding_links":[],"categories":["C++","\u003ca name=\"cpp\"\u003e\u003c/a\u003eC++","C++ (70)","Sandboxes","security","**Sandboxing Technologies Feature Matrix**","\u003ca id=\"89e277bca2740d737c1aeac3192f374c\"\u003e\u003c/a\u003e工具"],"sub_categories":["**2.2. Application Kernels: Intercepting the System Call**","\u003ca id=\"203d00ef3396d68f5277c90279f4ebf3\"\u003e\u003c/a\u003e新添加"],"readme":"- [Overview](#overview)\n- [What forms of isolation does it provide](#what-forms-of-isolation-does-it-provide)\n- Which use-cases are supported\n  * [Isolation of network services (inetd style)](#isolation-of-network-services-inetd-style)\n  * [Isolation with access to a private, cloned interface (requires root/setuid)](#isolation-with-access-to-a-private-cloned-interface-requires-rootsetuid)\n  * [Isolation of local processes](#isolation-of-local-processes)\n  * [Isolation of local processes (and re-running them, if necessary)](#isolation-of-local-processes-and-re-running-them-if-necessary)\n- Examples of use\n  * [Bash in a minimal file-system with uid==0 and access to /dev/urandom only](#bash-in-a-minimal-file-system-with-uid0-and-access-to-devurandom-only)\n  * [/usr/bin/find in a minimal file-system (only /usr/bin/find accessible from /usr/bin)](#usrbinfind-in-a-minimal-file-system-only-usrbinfind-accessible-from-usrbin)\n  * [Using /etc/subuid](#using-etcsubuid)\n  * [Even more contrained shell (with seccomp-bpf policies)](#even-more-contrained-shell-with-seccomp-bpf-policies)\n- [Configuration file](#configuration-file)\n- [More info](#more-info)\n- [Launching in Docker](#launching-in-docker)\n- [Contact](#contact)\n\n***\nThis is NOT an official Google product.\n\n***\n\n### Overview\nNsJail is a process isolation tool for Linux. It utilizes Linux namespace subsystem, resource limits, and the seccomp-bpf syscall filters of the Linux kernel.\n\nIt can help you with (among other things):\n  * Isolating __networking services__ (e.g. web, time, DNS), by isolating them from the rest of the OS\n  * Hosting computer security challenges (so-called __CTFs__)\n  * Containing invasive syscall-level OS __fuzzers__\n\nFeatures:\n  - [x]  Offers three __distinct operational modes__. See [this section](#which-use-cases-are-supported) for more info.\n  - [x]  Utilizes [kafel seccomp-bpf configuration language](https://github.com/google/kafel/) for __flexible syscall policy definitions__.\n  - [x]  Uses expressive, ProtoBuf-based [configuration file](#configuration-file)\n  - [x]  It's __rock-solid__.\n\n***\n### What forms of isolation does it provide\n1. Linux __namespaces__: UTS (hostname), MOUNT (chroot), PID (separate PID tree), IPC, NET (separate networking context), USER, CGROUPS\n2. __FS constraints__: chroot(), pivot_root(), RO-remounting, custom ```/proc``` and ```tmpfs``` mount points\n3. __Resource limits__ (wall-time/CPU time limits, VM/mem address space limits, etc.)\n4. Programmable seccomp-bpf __syscall filters__ (through the [kafel language](https://github.com/google/kafel/))\n5. Cloned and isolated __Ethernet interfaces__\n6. __Cgroups__ for memory and PID utilization control\n\n***\n### Which use-cases are supported\n#### Isolation of network services (inetd style)\n\n_PS: You'll need to have a valid file-system tree in ```/chroot```. If you don't have it, change ```/chroot``` to ```/```_\n\n+ Server:\n\u003cpre\u003e\n $ ./nsjail -Ml --port 9000 --chroot /chroot/ --user 99999 --group 99999 -- /bin/sh -i\n\u003c/pre\u003e\n\n+ Client:\n\u003cpre\u003e\n $ nc 127.0.0.1 9000\n / $ ifconfig\n / $ ifconfig -a\n lo    Link encap:Local Loopback\n       LOOPBACK  MTU:65536  Metric:1\n       RX packets:0 errors:0 dropped:0 overruns:0 frame:0\n       TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0\n       RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)\n / $ ps wuax\n PID   USER     COMMAND\n 1 99999    /bin/sh -i\n 3 99999    {busybox} ps wuax\n / $\n\n\u003c/pre\u003e\n\n#### Isolation with access to a private, cloned interface (requires root/setuid)\n\n_PS: You'll need to have a valid file-system tree in ```/chroot```. If you don't have it, change ```/chroot``` to ```/```_\n\n\u003cpre\u003e\n$ sudo ./nsjail --user 9999 --group 9999 --macvlan_iface eth0 --chroot /chroot/ -Mo --macvlan_vs_ip 192.168.0.44 --macvlan_vs_nm 255.255.255.0 --macvlan_vs_gw 192.168.0.1 -- /bin/sh -i\n/ $ id\nuid=9999 gid=9999\n/ $ ip addr sh\n1: lo: \u003cLOOPBACK,UP,LOWER_UP\u003e mtu 65536 qdisc noqueue \n    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n    inet 127.0.0.1/8 scope host lo\n       valid_lft forever preferred_lft forever\n    inet6 ::1/128 scope host \n       valid_lft forever preferred_lft forever\n2: vs: \u003cBROADCAST,MULTICAST,UP,LOWER_UP\u003e mtu 1500 qdisc noqueue \n    link/ether ca:a2:69:21:33:66 brd ff:ff:ff:ff:ff:ff\n    inet 192.168.0.44/24 brd 192.168.0.255 scope global vs\n       valid_lft forever preferred_lft forever\n    inet6 fe80::c8a2:69ff:fe21:cd66/64 scope link \n       valid_lft forever preferred_lft forever\n/ $ nc 217.146.165.209 80\nGET / HTTP/1.0\n\nHTTP/1.0 302 Found\nCache-Control: private\nContent-Type: text/html; charset=UTF-8\nLocation: https://www.google.ch/?gfe_rd=cr\u0026ei=cEzWVrG2CeTI8ge88ofwDA\nContent-Length: 258\nDate: Wed, 02 Mar 2016 02:14:08 GMT\n\n...\n...\n/ $ \n\u003c/pre\u003e\n\n#### Isolation of local processes\n\n_PS: You'll need to have a valid file-system tree in ```/chroot```. If you don't have it, change ```/chroot``` to ```/```_\n\n\u003cpre\u003e\n $ ./nsjail -Mo --chroot /chroot/ --user 99999 --group 99999 -- /bin/sh -i\n / $ ifconfig -a\n lo    Link encap:Local Loopback\n       LOOPBACK  MTU:65536  Metric:1\n       RX packets:0 errors:0 dropped:0 overruns:0 frame:0\n       TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0\n       RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)\n / $ id\n uid=99999 gid=99999\n / $ ps wuax\n PID   USER     COMMAND\n 1 99999    /bin/sh -i\n 4 99999    {busybox} ps wuax\n / $exit\n $\n\u003c/pre\u003e\n\n#### Isolation of local processes (and re-running them, if necessary)\n\n_PS: You'll need to have a valid file-system tree in ```/chroot```. If you don't have it, change ```/chroot``` to ```/```_\n\n\u003cpre\u003e\n $ ./nsjail -Mr --chroot /chroot/ --user 99999 --group 99999 -- /bin/sh -i\n BusyBox v1.21.1 (Ubuntu 1:1.21.0-1ubuntu1) built-in shell (ash)\n Enter 'help' for a list of built-in commands.\n / $ ps wuax\n PID   USER     COMMAND\n 1 99999    /bin/sh -i\n 2 99999    {busybox} ps wuax\n / $ exit\n BusyBox v1.21.1 (Ubuntu 1:1.21.0-1ubuntu1) built-in shell (ash)\n Enter 'help' for a list of built-in commands.\n / $ ps wuax\n PID   USER     COMMAND\n 1 99999    /bin/sh -i\n 2 99999    {busybox} ps wuax\n / $\n\u003c/pre\u003e\n\n### Bash in a minimal file-system with uid==0 and access to /dev/urandom only\n\n\u003cpre\u003e\n$ ./nsjail -Mo --user 0 --group 99999 -R /bin/ -R /lib -R /lib64/ -R /usr/ -R /sbin/ -T /dev -R /dev/urandom --keep_caps -- /bin/bash -i\n[2017-05-24T17:08:02+0200] Mode: STANDALONE_ONCE\n[2017-05-24T17:08:02+0200] Jail parameters: hostname:'NSJAIL', chroot:'(null)', process:'/bin/bash', bind:[::]:0, max_conns_per_ip:0, time_limit:0, personality:0, daemonize:false, clone_newnet:true, clone_newuser:true, clone_newns:true, clone_newpid:true, clone_newipc:true, clonew_newuts:true, clone_newcgroup:false, keep_caps:true, tmpfs_size:4194304, disable_no_new_privs:false, pivot_root_only:false\n[2017-05-24T17:08:02+0200] Mount point: src:'none' dst:'/' type:'tmpfs' flags:MS_RDONLY|0 options:'' isDir:True\n[2017-05-24T17:08:02+0200] Mount point: src:'none' dst:'/proc' type:'proc' flags:MS_RDONLY|0 options:'' isDir:True\n[2017-05-24T17:08:02+0200] Mount point: src:'/bin/' dst:'/bin/' type:'' flags:MS_RDONLY|MS_BIND|MS_REC|0 options:'' isDir:True\n[2017-05-24T17:08:02+0200] Mount point: src:'/lib' dst:'/lib' type:'' flags:MS_RDONLY|MS_BIND|MS_REC|0 options:'' isDir:True\n[2017-05-24T17:08:02+0200] Mount point: src:'/lib64/' dst:'/lib64/' type:'' flags:MS_RDONLY|MS_BIND|MS_REC|0 options:'' isDir:True\n[2017-05-24T17:08:02+0200] Mount point: src:'/usr/' dst:'/usr/' type:'' flags:MS_RDONLY|MS_BIND|MS_REC|0 options:'' isDir:True\n[2017-05-24T17:08:02+0200] Mount point: src:'/sbin/' dst:'/sbin/' type:'' flags:MS_RDONLY|MS_BIND|MS_REC|0 options:'' isDir:True\n[2017-05-24T17:08:02+0200] Mount point: src:'none' dst:'/dev' type:'tmpfs' flags:0 options:'size=4194304' isDir:True\n[2017-05-24T17:08:02+0200] Mount point: src:'/dev/urandom' dst:'/dev/urandom' type:'' flags:MS_RDONLY|MS_BIND|MS_REC|0 options:'' isDir:False\n[2017-05-24T17:08:02+0200] Uid map: inside_uid:0 outside_uid:69664\n[2017-05-24T17:08:02+0200] Gid map: inside_gid:99999 outside_gid:5000\n[2017-05-24T17:08:02+0200] Executing '/bin/bash' for '[STANDALONE_MODE]'\nbash: cannot set terminal process group (-1): Inappropriate ioctl for device\nbash: no job control in this shell\nbash-4.3# ls -l\ntotal 28\ndrwxr-xr-x   2 65534 65534  4096 May 15 14:04 bin\ndrwxrwxrwt   2     0 99999    60 May 24 15:08 dev\ndrwxr-xr-x  28 65534 65534  4096 May 15 14:10 lib\ndrwxr-xr-x   2 65534 65534  4096 May 15 13:56 lib64\ndr-xr-xr-x 391 65534 65534     0 May 24 15:08 proc\ndrwxr-xr-x   2 65534 65534 12288 May 15 14:16 sbin\ndrwxr-xr-x  17 65534 65534  4096 May 15 13:58 usr\nbash-4.3# id\nuid=0 gid=99999 groups=65534,99999\nbash-4.3# exit\nexit\n[2017-05-24T17:08:05+0200] PID: 129839 exited with status: 0, (PIDs left: 0)\n\u003c/pre\u003e\n\n### /usr/bin/find in a minimal file-system (only /usr/bin/find accessible from /usr/bin)\n\n\u003cpre\u003e\n$ ./nsjail -Mo --user 99999 --group 99999 -R /lib/x86_64-linux-gnu/ -R /lib/x86_64-linux-gnu -R /lib64 -R /usr/bin/find -R /dev/urandom --keep_caps -- /usr/bin/find / | wc -l\n[2017-05-24T17:04:37+0200] Mode: STANDALONE_ONCE\n[2017-05-24T17:04:37+0200] Jail parameters: hostname:'NSJAIL', chroot:'(null)', process:'/usr/bin/find', bind:[::]:0, max_conns_per_ip:0, time_limit:0, personality:0, daemonize:false, clone_newnet:true, clone_newuser:true, clone_newns:true, clone_newpid:true, clone_newipc:true, clonew_newuts:true, clone_newcgroup:false, keep_caps:true, tmpfs_size:4194304, disable_no_new_privs:false, pivot_root_only:false\n[2017-05-24T17:04:37+0200] Mount point: src:'none' dst:'/' type:'tmpfs' flags:MS_RDONLY|0 options:'' isDir:True\n[2017-05-24T17:04:37+0200] Mount point: src:'none' dst:'/proc' type:'proc' flags:MS_RDONLY|0 options:'' isDir:True\n[2017-05-24T17:04:37+0200] Mount point: src:'/lib/x86_64-linux-gnu/' dst:'/lib/x86_64-linux-gnu/' type:'' flags:MS_RDONLY|MS_BIND|MS_REC|0 options:'' isDir:True\n[2017-05-24T17:04:37+0200] Mount point: src:'/lib/x86_64-linux-gnu' dst:'/lib/x86_64-linux-gnu' type:'' flags:MS_RDONLY|MS_BIND|MS_REC|0 options:'' isDir:True\n[2017-05-24T17:04:37+0200] Mount point: src:'/lib64' dst:'/lib64' type:'' flags:MS_RDONLY|MS_BIND|MS_REC|0 options:'' isDir:True\n[2017-05-24T17:04:37+0200] Mount point: src:'/usr/bin/find' dst:'/usr/bin/find' type:'' flags:MS_RDONLY|MS_BIND|MS_REC|0 options:'' isDir:False\n[2017-05-24T17:04:37+0200] Mount point: src:'/dev/urandom' dst:'/dev/urandom' type:'' flags:MS_RDONLY|MS_BIND|MS_REC|0 options:'' isDir:False\n[2017-05-24T17:04:37+0200] Uid map: inside_uid:99999 outside_uid:69664\n[2017-05-24T17:04:37+0200] Gid map: inside_gid:99999 outside_gid:5000\n[2017-05-24T17:04:37+0200] Executing '/usr/bin/find' for '[STANDALONE_MODE]'\n/usr/bin/find: `/proc/tty/driver': Permission denied\n2289\n[2017-05-24T17:04:37+0200] PID: 129525 exited with status: 1, (PIDs left: 0)\n\u003c/pre\u003e\n\n### Using /etc/subuid\n\n\u003cpre\u003e\n$ tail -n1 /etc/subuid\nuser:10000000:1\n$ ./nsjail -R /lib -R /lib64/ -R /usr/lib -R /usr/bin/ -R /usr/sbin/ -R /bin/ -R /sbin/ -R /dev/null -U 0:10000000:1 -u 0 -R /tmp/ -T /tmp/ -- /bin/ls -l /usr/\n[2017-05-24T17:12:31+0200] Mode: STANDALONE_ONCE\n[2017-05-24T17:12:31+0200] Jail parameters: hostname:'NSJAIL', chroot:'(null)', process:'/bin/ls', bind:[::]:0, max_conns_per_ip:0, time_limit:0, personality:0, daemonize:false, clone_newnet:true, clone_newuser:true, clone_newns:true, clone_newpid:true, clone_newipc:true, clonew_newuts:true, clone_newcgroup:false, keep_caps:false, tmpfs_size:4194304, disable_no_new_privs:false, pivot_root_only:false\n[2017-05-24T17:12:31+0200] Mount point: src:'none' dst:'/' type:'tmpfs' flags:MS_RDONLY|0 options:'' isDir:True\n[2017-05-24T17:12:31+0200] Mount point: src:'none' dst:'/proc' type:'proc' flags:MS_RDONLY|0 options:'' isDir:True\n[2017-05-24T17:12:31+0200] Mount point: src:'/lib' dst:'/lib' type:'' flags:MS_RDONLY|MS_BIND|MS_REC|0 options:'' isDir:True\n[2017-05-24T17:12:31+0200] Mount point: src:'/lib64/' dst:'/lib64/' type:'' flags:MS_RDONLY|MS_BIND|MS_REC|0 options:'' isDir:True\n[2017-05-24T17:12:31+0200] Mount point: src:'/usr/lib' dst:'/usr/lib' type:'' flags:MS_RDONLY|MS_BIND|MS_REC|0 options:'' isDir:True\n[2017-05-24T17:12:31+0200] Mount point: src:'/usr/bin/' dst:'/usr/bin/' type:'' flags:MS_RDONLY|MS_BIND|MS_REC|0 options:'' isDir:True\n[2017-05-24T17:12:31+0200] Mount point: src:'/usr/sbin/' dst:'/usr/sbin/' type:'' flags:MS_RDONLY|MS_BIND|MS_REC|0 options:'' isDir:True\n[2017-05-24T17:12:31+0200] Mount point: src:'/bin/' dst:'/bin/' type:'' flags:MS_RDONLY|MS_BIND|MS_REC|0 options:'' isDir:True\n[2017-05-24T17:12:31+0200] Mount point: src:'/sbin/' dst:'/sbin/' type:'' flags:MS_RDONLY|MS_BIND|MS_REC|0 options:'' isDir:True\n[2017-05-24T17:12:31+0200] Mount point: src:'/dev/null' dst:'/dev/null' type:'' flags:MS_RDONLY|MS_BIND|MS_REC|0 options:'' isDir:False\n[2017-05-24T17:12:31+0200] Mount point: src:'/tmp/' dst:'/tmp/' type:'' flags:MS_RDONLY|MS_BIND|MS_REC|0 options:'' isDir:True\n[2017-05-24T17:12:31+0200] Mount point: src:'none' dst:'/tmp/' type:'tmpfs' flags:0 options:'size=4194304' isDir:True\n[2017-05-24T17:12:31+0200] Uid map: inside_uid:0 outside_uid:69664\n[2017-05-24T17:12:31+0200] Gid map: inside_gid:5000 outside_gid:5000\n[2017-05-24T17:12:31+0200] Newuid mapping: inside_uid:'0' outside_uid:'10000000' count:'1'\n[2017-05-24T17:12:31+0200] Executing '/bin/ls' for '[STANDALONE_MODE]'\ntotal 120\ndrwxr-xr-x   5 65534 65534 77824 May 24 12:25 bin\ndrwxr-xr-x 210 65534 65534 20480 May 22 16:11 lib\ndrwxr-xr-x   4 65534 65534 20480 May 24 00:24 sbin\n[2017-05-24T17:12:31+0200] PID: 130841 exited with status: 0, (PIDs left: 0)\n\u003c/pre\u003e\n\n### Even more contrained shell (with seccomp-bpf policies)\n\n\u003cpre\u003e\n$ ./nsjail --chroot / --seccomp_string 'ALLOW { write, execve, brk, access, mmap, open, openat, newfstat, close, read, mprotect, arch_prctl, munmap, getuid, getgid, getpid, rt_sigaction, geteuid, getppid, getcwd, getegid, ioctl, fcntl, newstat, clone, wait4, rt_sigreturn, exit_group } DEFAULT KILL' -- /bin/sh -i\n[2017-01-15T21:53:08+0100] Mode: STANDALONE_ONCE\n[2017-01-15T21:53:08+0100] Jail parameters: hostname:'NSJAIL', chroot:'/', process:'/bin/sh', bind:[::]:0, max_conns_per_ip:0, uid:(ns:1000, global:1000), gid:(ns:1000, global:1000), time_limit:0, personality:0, daemonize:false, clone_newnet:true, clone_newuser:true, clone_newns:true, clone_newpid:true, clone_newipc:true, clonew_newuts:true, clone_newcgroup:false, keep_caps:false, tmpfs_size:4194304, disable_no_new_privs:false, pivot_root_only:false\n[2017-01-15T21:53:08+0100] Mount point: src:'/' dst:'/' type:'' flags:0x5001 options:''\n[2017-01-15T21:53:08+0100] Mount point: src:'(null)' dst:'/proc' type:'proc' flags:0x0 options:''\n[2017-01-15T21:53:08+0100] PID: 18873 about to execute '/bin/sh' for [STANDALONE_MODE]\n/bin/sh: 0: can't access tty; job control turned off\n$ set\nIFS='\n'\nOPTIND='1'\nPATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'\nPPID='0'\nPS1='$ '\nPS2='\u003e '\nPS4='+ '\nPWD='/'\n$ id\nBad system call\n$ exit\n[2017-01-15T21:53:17+0100] PID: 18873 exited with status: 159, (PIDs left: 0)\n\u003c/pre\u003e\n\n***\n### Configuration file\n\nYou will also find all examples in the [configs](https://github.com/google/nsjail/blob/master/configs) directory.\n\n***\n\n[config.proto](https://github.com/google/nsjail/blob/master/config.proto) contains ProtoBuf schema for nsjail's configuration format.\n\n***\n\nYou can examine an example config file in [configs/bash-with-fake-geteuid.cfg](https://github.com/google/nsjail/blob/master/configs/bash-with-fake-geteuid.cfg).\n\nUsage:\n\u003cpre\u003e\n$ ./nsjail --config configs/bash-with-fake-geteuid.cfg\n\u003c/pre\u003e\n\nYou can also override certain options with command-line options. Here, the executed binary (_/bin/bash_) is overriden with _/usr/bin/id_, yet options from _configs/bash-with-fake-geteuid.cfg_ still apply\n\u003cpre\u003e\n$ ./nsjail --config configs/bash-with-fake-geteuid.cfg -- /usr/bin/id\n...\n[INSIDE-JAIL]: id\nuid=999999 gid=999998 euid=4294965959 groups=999998,65534\n[INSIDE-JAIL]: exit\n[2017-05-27T18:45:40+0200] PID: 16579 exited with status: 0, (PIDs left: 0)\n\u003c/pre\u003e\n\n***\n\nYou might also want to try using [configs/home-documents-with-xorg-no-net.cfg](https://github.com/google/nsjail/blob/master/configs/home-documents-with-xorg-no-net.cfg).\n\n\u003cpre\u003e\n$ ./nsjail --config configs/home-documents-with-xorg-no-net.cfg -- /usr/bin/evince /user/Documents/doc.pdf\n$ ./nsjail --config configs/home-documents-with-xorg-no-net.cfg -- /usr/bin/geeqie /user/Documents/\n$ ./nsjail --config configs/home-documents-with-xorg-no-net.cfg -- /usr/bin/gv /user/Documents/doc.pdf\n$ ./nsjail --config configs/home-documents-with-xorg-no-net.cfg -- /usr/bin/mupdf /user/Documents/doc.pdf\n\u003c/pre\u003e\n\n***\n\nThe [configs/firefox-with-net.cfg](https://github.com/google/nsjail/blob/master/configs/firefox-with-net.cfg)\nconfig file will allow you to run firefox inside a sandboxed environment:\n\n\u003cpre\u003e\n$ ./nsjail --config configs/firefox-with-net.cfg\n\u003c/pre\u003e\n\nA more complex setup, which utilizes virtualized (cloned) Ethernet\ninterfaces (to separate it from the main network namespace), can be\nfound in [configs/firefox-with-cloned-net.cfg](https://github.com/google/nsjail/blob/master/configs/firefox-with-cloned-net.cfg).\nRemember to change relevant UIDs and Ethernet interface names before use.\n\nAs using cloned Ethernet interfaces (MACVTAP) required root privileges, you'll\nhave to run it under sudo:\n\n\u003cpre\u003e\n$ sudo ./nsjail --config configs/firefox-with-cloned-net.cfg\n\u003c/pre\u003e\n\n***\n### More info\n\nThe command-line options should be self-explanatory, while the proto-buf config options are described in [config.proto](https://github.com/google/nsjail/blob/master/config.proto)\n\n\u003cpre\u003e\n./nsjail --help\n\u003c/pre\u003e\n\n\u003cpre\u003e\n Usage: ./nsjail [options] -- path_to_command [args]\n Options:\n  --help|-h \n \tHelp plz..\n  --mode|-M VALUE\n \tExecution mode (default: 'o' [MODE_STANDALONE_ONCE]):\n\tl: Wait for connections on a TCP port (specified with --port) [MODE_LISTEN_TCP]\n\to: Launch a single process on the console using clone/execve [MODE_STANDALONE_ONCE]\n\te: Launch a single process on the console using execve [MODE_STANDALONE_EXECVE]\n\tr: Launch a single process on the console with clone/execve, keep doing it forever [MODE_STANDALONE_RERUN]\n  --config|-C VALUE\n \tConfiguration file in the config.proto ProtoBuf format (see configs/ directory for examples)\n  --exec_file|-x VALUE\n \tFile to exec (default: argv[0])\n  --execute_fd \n \tUse execveat() to execute a file-descriptor instead of executing the binary path. In such case argv[0]/exec_file denotes a file path before mount namespacing\n  --chroot|-c VALUE\n \tDirectory containing / of the jail (default: none)\n  --no_pivotroot \n \tWhen creating a mount namespace, use mount(MS_MOVE) and chroot rather than pivot_root. Usefull when pivot_root is disallowed (e.g. initramfs). Note: escapable is some configuration\n  --rw \n \tMount chroot dir (/) R/W (default: R/O)\n  --user|-u VALUE\n \tUsername/uid of processes inside the jail (default: your current uid). You can also use inside_ns_uid:outside_ns_uid:count convention here. Can be specified multiple times\n  --group|-g VALUE\n \tGroupname/gid of processes inside the jail (default: your current gid). You can also use inside_ns_gid:global_ns_gid:count convention here. Can be specified multiple times\n  --hostname|-H VALUE\n \tUTS name (hostname) of the jail (default: 'NSJAIL')\n  --cwd|-D VALUE\n \tDirectory in the namespace the process will run (default: '/')\n  --port|-p VALUE\n \tTCP port to bind to (enables MODE_LISTEN_TCP) (default: 0)\n  --bindhost VALUE\n \tIP address to bind the port to (only in [MODE_LISTEN_TCP]), (default: '::')\n  --max_conns VALUE\n \tMaximum number of connections across all IPs (only in [MODE_LISTEN_TCP]), (default: 0 (unlimited))\n  --max_conns_per_ip|-i VALUE\n \tMaximum number of connections per one IP (only in [MODE_LISTEN_TCP]), (default: 0 (unlimited))\n  --log|-l VALUE\n \tLog file (default: use log_fd)\n  --log_fd|-L VALUE\n \tLog FD (default: 2)\n  --time_limit|-t VALUE\n \tMaximum time that a jail can exist, in seconds (default: 600)\n  --max_cpus VALUE\n \tMaximum number of CPUs a single jailed process can use (default: 0 'no limit')\n  --daemon|-d \n \tDaemonize after start\n  --verbose|-v \n \tVerbose output\n  --quiet|-q \n \tLog warning and more important messages only\n  --really_quiet|-Q \n \tLog fatal messages only\n  --keep_env|-e \n \tPass all environment variables to the child process (default: all envars are cleared)\n  --env|-E VALUE\n \tAdditional environment variable (can be used multiple times). If the envar doesn't contain '=' (e.g. just the 'DISPLAY' string), the current envar value will be used\n  --keep_caps \n \tDon't drop any capabilities\n  --cap VALUE\n \tRetain this capability, e.g. CAP_PTRACE (can be specified multiple times)\n  --silent \n \tRedirect child process' fd:0/1/2 to /dev/null\n  --stderr_to_null \n \tRedirect child process' fd:2 (STDERR_FILENO) to /dev/null\n  --skip_setsid \n \tDon't call setsid(), allows for terminal signal handling in the sandboxed process. Dangerous\n  --pass_fd VALUE\n \tDon't close this FD before executing the child process (can be specified multiple times), by default: 0/1/2 are kept open\n  --disable_no_new_privs \n \tDon't set the prctl(NO_NEW_PRIVS, 1) (DANGEROUS)\n  --rlimit_as VALUE\n \tRLIMIT_AS in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 4096)\n  --rlimit_core VALUE\n \tRLIMIT_CORE in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 0)\n  --rlimit_cpu VALUE\n \tRLIMIT_CPU, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 600)\n  --rlimit_fsize VALUE\n \tRLIMIT_FSIZE in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 1)\n  --rlimit_nofile VALUE\n \tRLIMIT_NOFILE, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 32)\n  --rlimit_nproc VALUE\n \tRLIMIT_NPROC, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')\n  --rlimit_stack VALUE\n \tRLIMIT_STACK in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')\n  --rlimit_memlock VALUE\n \tRLIMIT_MEMLOCK in KB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')\n  --rlimit_rtprio VALUE\n \tRLIMIT_RTPRIO, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')\n  --rlimit_msgqueue VALUE\n \tRLIMIT_MSGQUEUE in bytes, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')\n  --disable_rlimits \n \tDisable all rlimits, default to limits set by parent\n  --persona_addr_compat_layout \n \tpersonality(ADDR_COMPAT_LAYOUT)\n  --persona_mmap_page_zero \n \tpersonality(MMAP_PAGE_ZERO)\n  --persona_read_implies_exec \n \tpersonality(READ_IMPLIES_EXEC)\n  --persona_addr_limit_3gb \n \tpersonality(ADDR_LIMIT_3GB)\n  --persona_addr_no_randomize \n \tpersonality(ADDR_NO_RANDOMIZE)\n  --disable_clone_newnet|-N \n \tDon't use CLONE_NEWNET. Enable global networking inside the jail\n  --disable_clone_newuser \n \tDon't use CLONE_NEWUSER. Requires euid==0\n  --disable_clone_newns \n \tDon't use CLONE_NEWNS\n  --disable_clone_newpid \n \tDon't use CLONE_NEWPID\n  --disable_clone_newipc \n \tDon't use CLONE_NEWIPC\n  --disable_clone_newuts \n \tDon't use CLONE_NEWUTS\n  --disable_clone_newcgroup \n \tDon't use CLONE_NEWCGROUP. Might be required for kernel versions \u003c 4.6\n  --enable_clone_newtime \n \tUse CLONE_NEWTIME. Supported with kernel versions \u003e= 5.3\n  --uid_mapping|-U VALUE\n \tAdd a custom uid mapping of the form inside_uid:outside_uid:count. Setting this requires newuidmap (set-uid) to be present\n  --gid_mapping|-G VALUE\n \tAdd a custom gid mapping of the form inside_gid:outside_gid:count. Setting this requires newgidmap (set-uid) to be present\n  --bindmount_ro|-R VALUE\n \tList of mountpoints to be mounted --bind (ro) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'\n  --bindmount|-B VALUE\n \tList of mountpoints to be mounted --bind (rw) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'\n  --tmpfsmount|-T VALUE\n \tList of mountpoints to be mounted as tmpfs (R/W) inside the container. Can be specified multiple times. Supports 'dest' syntax. Alternatively, use '-m none:dest:tmpfs:size=8388608'\n  --mount|-m VALUE\n \tArbitrary mount, format src:dst:fs_type:options\n  --symlink|-s VALUE\n \tSymlink, format src:dst\n  --disable_proc \n \tDisable mounting procfs in the jail\n  --proc_path VALUE\n \tPath used to mount procfs (default: '/proc')\n  --proc_rw \n \tIs procfs mounted as R/W (default: R/O)\n  --seccomp_policy|-P VALUE\n \tPath to file containing seccomp-bpf policy (see kafel/)\n  --seccomp_string VALUE\n \tString with kafel seccomp-bpf policy (see kafel/)\n  --seccomp_log \n \tUse SECCOMP_FILTER_FLAG_LOG. Log all actions except SECCOMP_RET_ALLOW). Supported since kernel version 4.14\n  --nice_level VALUE\n \tSet jailed process niceness (-20 is highest -priority, 19 is lowest). By default, set to 19\n  --cgroup_mem_max VALUE\n \tMaximum number of bytes to use in the group (default: '0' - disabled)\n  --cgroup_mem_memsw_max VALUE\n \tMaximum number of memory+swap bytes to use (default: '0' - disabled)\n  --cgroup_mem_swap_max VALUE\n \tMaximum number of swap bytes to use (default: '-1' - disabled)\n  --cgroup_mem_mount VALUE\n \tLocation of memory cgroup FS (default: '/sys/fs/cgroup/memory')\n  --cgroup_mem_parent VALUE\n \tWhich pre-existing memory cgroup to use as a parent (default: 'NSJAIL')\n  --cgroup_pids_max VALUE\n \tMaximum number of pids in a cgroup (default: '0' - disabled)\n  --cgroup_pids_mount VALUE\n \tLocation of pids cgroup FS (default: '/sys/fs/cgroup/pids')\n  --cgroup_pids_parent VALUE\n \tWhich pre-existing pids cgroup to use as a parent (default: 'NSJAIL')\n  --cgroup_net_cls_classid VALUE\n \tClass identifier of network packets in the group (default: '0' - disabled)\n  --cgroup_net_cls_mount VALUE\n \tLocation of net_cls cgroup FS (default: '/sys/fs/cgroup/net_cls')\n  --cgroup_net_cls_parent VALUE\n \tWhich pre-existing net_cls cgroup to use as a parent (default: 'NSJAIL')\n  --cgroup_cpu_ms_per_sec VALUE\n \tNumber of milliseconds of CPU time per second that the process group can use (default: '0' - no limit)\n  --cgroup_cpu_mount VALUE\n \tLocation of cpu cgroup FS (default: '/sys/fs/cgroup/cpu')\n  --cgroup_cpu_parent VALUE\n \tWhich pre-existing cpu cgroup to use as a parent (default: 'NSJAIL')\n  --cgroupv2_mount VALUE\n \tLocation of cgroupv2 directory (default: '/sys/fs/cgroup')\n  --use_cgroupv2 \n \tUse cgroup v2\n  --detect_cgroupv2 \n \tUse cgroupv2, if it is available. (Specify instead of use_cgroupv2)\n  --iface_no_lo \n \tDon't bring the 'lo' interface up\n  --iface_own VALUE\n \tMove this existing network interface into the new NET namespace. Can be specified multiple times\n  --macvlan_iface|-I VALUE\n \tInterface which will be cloned (MACVLAN) and put inside the subprocess' namespace as 'vs'\n  --macvlan_vs_ip VALUE\n \tIP of the 'vs' interface (e.g. \"192.168.0.1\")\n  --macvlan_vs_nm VALUE\n \tNetmask of the 'vs' interface (e.g. \"255.255.255.0\")\n  --macvlan_vs_gw VALUE\n \tDefault GW for the 'vs' interface (e.g. \"192.168.0.1\")\n  --macvlan_vs_ma VALUE\n \tMAC-address of the 'vs' interface (e.g. \"ba:ad:ba:be:45:00\")\n  --macvlan_vs_mo VALUE\n \tMode of the 'vs' interface. Can be either 'private', 'vepa', 'bridge' or 'passthru' (default: 'private')\n  --disable_tsc \n \tDisable rdtsc and rdtscp instructions. WARNING: To make it effective, you also need to forbid `prctl(PR_SET_TSC, PR_TSC_ENABLE, ...)` in seccomp rules! (x86 and x86_64 only). Dynamic binaries produced by GCC seem to rely on RDTSC, but static ones should work.\n  --forward_signals \n \tForward fatal signals to the child process instead of always using SIGKILL.\n \n Examples: \n  Wait on a port 31337 for connections, and run /bin/sh\n   nsjail -Ml --port 31337 --chroot / -- /bin/sh -i\n  Re-run echo command as a sub-process\n   nsjail -Mr --chroot / -- /bin/echo \"ABC\"\n  Run echo command once only, as a sub-process\n   nsjail -Mo --chroot / -- /bin/echo \"ABC\"\n  Execute echo command directly, without a supervising process\n   nsjail -Me --chroot / --disable_proc -- /bin/echo \"ABC\"\n\u003c/pre\u003e\n\n***\n### Launching in Docker\n\nTo launch nsjail in a docker container clone the repository and build the docker image:\n\u003cpre\u003e\ndocker build -t nsjailcontainer .\n\u003c/pre\u003e\n\nThis will build up an image containing nsjail and kafel.\n\nFrom now you can either use it in another Dockerfile (`FROM nsjailcontainer`) or directly:\n\u003cpre\u003e\ndocker run --privileged --rm -it nsjailcontainer nsjail --user 99999 --group 99999 --disable_proc --chroot / --time_limit 30 /bin/bash\n\u003c/pre\u003e\n\n***\n### Contact\n\n  * User mailing list: [nsjail@googlegroups.com](mailto:nsjail@googlegroups.com), sign up with this [link](https://groups.google.com/forum/#!forum/nsjail)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogle%2Fnsjail","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgoogle%2Fnsjail","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogle%2Fnsjail/lists"}