NsJail is a lightweight Linux process isolation tool leveraging namespaces, cgroups, rlimits, and seccomp-bpf filters for secure sandboxing.
A lightweight process isolation tool that utilizes Linux namespaces, cgroups, rlimits and seccomp-bpf syscall filters, leveraging the Kafel BPF language for enhanced security.
NsJail is primarily used to isolate network services, contain local processes, and securely run potentially unsafe code or services by creating restricted execution environments. It is ideal for system administrators, security researchers, and CTF organizers who need robust process isolation and syscall filtering on Linux systems.
NsJail requires a valid filesystem tree for chroot environments and may require root or setuid privileges for network interface cloning. Proper configuration of seccomp-bpf policies via Kafel is recommended to enhance security. It is not an official Google product and should be used with understanding of Linux namespaces and cgroups.
./nsjail -Ml --port 9000 --chroot /chroot/ --user 99999 --group 99999 -- /bin/sh -i
Starts NsJail in inetd-style mode to isolate a network service on port 9000 with a specified chroot and user/group.
nc 127.0.0.1 9000
Connects as a client to the isolated service running inside NsJail on port 9000.
sudo ./nsjail --user 9999 --group 9999 --macvlan_iface eth0 --chroot /chroot/ -Mo --macvlan_vs_ip 192.168.0.44 --macvlan_vs_nm 255.255.255.0 --macvlan_vs_gw 192.168.0.1 -- /bin/sh -i
Runs NsJail with root privileges to isolate a process with access to a private cloned Ethernet interface using macvlan.