### Install Dependencies and Build NsJail from Source Source: https://github.com/google/nsjail/blob/master/README.md Installs necessary dependencies on Debian/Ubuntu systems and then builds NsJail from its source code. Ensure you have git, build tools, and protobuf development libraries installed. ```bash sudo apt-get install autoconf bison flex gcc g++ git libprotobuf-dev libnl-route-3-dev libtool make pkg-config protobuf-compiler git clone https://github.com/google/nsjail.git cd nsjail make ``` -------------------------------- ### Desktop Application Sandboxing with NsJail Source: https://github.com/google/nsjail/blob/master/README.md Example of sandboxing a GUI application using a pre-defined configuration file. ```bash ./nsjail --config configs/firefox-with-net-wayland.cfg ``` -------------------------------- ### Example NsJail Configuration Source: https://github.com/google/nsjail/blob/master/README.md This is a sample protobuf configuration file for NsJail, defining jail parameters like name, mode, resource limits, and mount points. ```protobuf name: "bash-jail" mode: ONCE hostname: "JAILED" cwd: "/tmp" time_limit: 100 max_cpus: 1 rlimit_as: 512 rlimit_cpu: 10 rlimit_nofile: 32 clone_newnet: true clone_newuser: true clone_newns: true clone_newpid: true clone_newipc: true clone_newuts: true uidmap { inside_id: "0" outside_id: "" count: 1 } gidmap { inside_id: "0" outside_id: "" count: 1 } mount { src: "/" dst: "/" is_bind: true rw: false } mount { dst: "/proc" fstype: "proc" } mount { dst: "/tmp" fstype: "tmpfs" rw: true } seccomp_string: "ALLOW { read, write, exit, exit_group } DEFAULT KILL" ``` -------------------------------- ### Minimal Environment Execution with NsJail Source: https://github.com/google/nsjail/blob/master/README.md Example of running a program with restricted filesystem access using NsJail. It explicitly mounts only necessary directories and binaries. ```bash ./nsjail -Mo \ -R /lib/x86_64-linux-gnu \ -R /lib64 \ -R /usr/bin/find \ -R /dev/urandom \ -- /usr/bin/find / ``` -------------------------------- ### CTF Challenge Hosting with NsJail Source: https://github.com/google/nsjail/blob/master/README.md Example of using NsJail to isolate networked services for CTF challenges. This command sets up a jail with specific resource limits and runs a challenge executable. ```bash ./nsjail -Ml --port 8000 \ --chroot /srv/ctf \ --user 65534 --group 65534 \ --time_limit 60 \ --rlimit_as 128 \ --rlimit_cpu 10 \ -- /srv/ctf/challenge ``` -------------------------------- ### Run Re-executing Process with NsJail (for Fuzzing) Source: https://github.com/google/nsjail/blob/master/README.md Uses NsJail to repeatedly execute a specified command, which is useful for fuzzing or testing process stability. This example executes '/bin/echo "test"'. ```bash ./nsjail -Mr --chroot / -- /bin/echo "test" ``` -------------------------------- ### Fuzzing with NsJail Source: https://github.com/google/nsjail/blob/master/README.md Example of using NsJail for continuous re-execution of potentially crashing programs during fuzzing. It includes resource limits and a seccomp filter. ```bash ./nsjail -Mr \ --chroot / \ --user 99999 \ --time_limit 10 \ --rlimit_as 512 \ --seccomp_string 'ALLOW { ... } DEFAULT KILL' \ -- /path/to/target @@ ``` -------------------------------- ### List Available Namespaces Source: https://github.com/google/nsjail/blob/master/README.md List the available namespaces in /proc/self/ns/ to check resource availability. ```bash ls -la /proc/self/ns/ ``` -------------------------------- ### Load NsJail Configuration Source: https://github.com/google/nsjail/blob/master/README.md Command to load an NsJail configuration file. ```bash ./nsjail --config myconfig.cfg ``` -------------------------------- ### Configure Userland Networking via Protobuf Source: https://github.com/google/nsjail/blob/master/README.md Configure userland networking settings using a protobuf configuration. This includes IP addresses, gateway, ports, and DNS. ```protobuf user_net { enable: true ip: "10.255.255.2" gw: "10.255.255.1" ip6: "fc00::2" gw6: "fc00::1" tcp_ports: "80,443" enable_dns: true } ``` -------------------------------- ### Run Network Service with NsJail (inetd-style) Source: https://github.com/google/nsjail/blob/master/README.md Configures NsJail to run as a network service listening on a specified port. It sets up a chroot, user/group, and executes an interactive shell for incoming connections. ```bash ./nsjail -Ml --port 9000 --chroot /chroot --user 99999 --group 99999 -- /bin/sh -i ``` -------------------------------- ### Enable Userland Networking with Pasta Source: https://github.com/google/nsjail/blob/master/README.md Run NSJail with userland networking enabled using pasta. This allows network access without root privileges. ```bash ./nsjail --user 1000 --group 1000 \ --use_pasta \ --chroot / \ -- /usr/bin/curl https://example.com ``` -------------------------------- ### Check User Namespace Configuration Source: https://github.com/google/nsjail/blob/master/README.md Verify if unprivileged user namespaces are enabled by checking the sysctl value. This is required for CLONE_NEWUSER. ```bash sysctl kernel.unprivileged_userns_clone # Should be 1 ``` -------------------------------- ### Run Basic Isolated Shell with NsJail Source: https://github.com/google/nsjail/blob/master/README.md Launches NsJail to provide a basic isolated shell environment. It enforces a chroot, sets user and group IDs, and executes /bin/bash. ```bash ./nsjail -Mo --chroot / --user 99999 --group 99999 -- /bin/bash ``` -------------------------------- ### Build and Run NsJail using Docker Source: https://github.com/google/nsjail/blob/master/README.md Builds a Docker image for NsJail and then runs it in a privileged mode, providing an isolated shell. The --privileged flag is often required for full namespace functionality. ```bash docker build -t nsjail . docker run --privileged --rm -it nsjail nsjail --user 99999 --group 99999 --chroot / -- /bin/bash ``` -------------------------------- ### Apply Seccomp-bpf Filtering with Kafel Policy Source: https://github.com/google/nsjail/blob/master/README.md Apply seccomp-bpf filters using Kafel policy syntax. This defines allowed system calls and default actions. ```bash ./nsjail --seccomp_string ' POLICY example { ALLOW { read, write, open, close, mmap, munmap, brk, exit_group } DEFAULT KILL } USE example DEFAULT KILL ' -- /bin/program ``` -------------------------------- ### Configure MACVLAN Network Isolation Source: https://github.com/google/nsjail/blob/master/README.md Set up MACVLAN network isolation by cloning a physical interface. This requires root privileges. ```bash sudo ./nsjail \ --macvlan_iface eth0 \ --macvlan_vs_ip 192.168.1.100 \ --macvlan_vs_nm 255.255.255.0 \ --macvlan_vs_gw 192.168.1.1 \ -- /bin/bash ``` -------------------------------- ### Override Command with NsJail Configuration Source: https://github.com/google/nsjail/blob/master/README.md Command to load an NsJail configuration and override the default command to execute. ```bash ./nsjail --config myconfig.cfg -- /usr/bin/id ``` -------------------------------- ### Check /proc Mounts for Overmounting Source: https://github.com/google/nsjail/blob/master/README.md Inspect the /proc/mounts to ensure that /proc is not overmounted, which can cause mount errors. ```bash cat /proc/mounts | grep /proc ``` -------------------------------- ### Enable Verbose Logging for Debugging Source: https://github.com/google/nsjail/blob/master/README.md Enable verbose logging in NSJail for debugging purposes by using the -v flag along with a configuration file. ```bash ./nsjail -v --config myconfig.cfg ``` -------------------------------- ### Configure Cgroups Resource Control Source: https://github.com/google/nsjail/blob/master/README.md Control resources using cgroups by setting memory limits, PID limits, and CPU time per second. ```bash ./nsjail \ --cgroup_mem_max $((512*1024*1024)) \ --cgroup_pids_max 32 \ --cgroup_cpu_ms_per_sec 800 \ -- /bin/cpu_intensive_program ``` -------------------------------- ### NSJail Execution Modes Source: https://github.com/google/nsjail/blob/master/README.md These flags control how NSJail executes processes. Choose the mode that best fits your use case, such as running a single command or setting up a persistent server. ```bash # Filesystem -c, --chroot DIR Chroot directory (default: /) -R, --bindmount_ro SRC Read-only bind mount (SRC or SRC:DST) -B, --bindmount SRC Read-write bind mount (SRC or SRC:DST) -T, --tmpfsmount DST Tmpfs mount at DST -m, --mount SRC:DST:TYPE:OPTS Arbitrary mount ``` ```bash # User/Group -u, --user UID User ID inside jail (default: current) -g, --group GID Group ID inside jail (default: current) -U, --uid_mapping I:O:C Custom UID mapping (requires newuidmap) -G, --gid_mapping I:O:C Custom GID mapping (requires newgidmap) ``` ```bash # Namespaces -N, --disable_clone_newnet Disable network namespace --disable_clone_newuser Disable user namespace --disable_clone_newpid Disable PID namespace --enable_clone_newtime Enable time namespace (kernel >= 5.3) ``` ```bash # Resource Limits -t, --time_limit SEC Wall-time limit in seconds (default: 600) --rlimit_as MB Address space limit in MB --rlimit_cpu SEC CPU time limit in seconds --rlimit_nofile N Max open files --oom_score_adj VALUE OOM score adjustment for the sandbox (-1000 to 1000) ``` ```bash # Security -P, --seccomp_policy FILE Seccomp-bpf policy file (Kafel syntax) --seccomp_string POLICY Inline seccomp policy --cap CAP_NAME Retain capability (can specify multiple) --keep_caps Retain all capabilities --use_core_scheduling Enable core scheduling (SMT-level isolation, requires kernel >= 5.14) ``` ```bash # Networking --iface_own IFACE Move interface into jail --macvlan_iface IFACE Clone interface as MACVLAN --use_pasta Enable userland networking (pasta) ``` ```bash # Configuration -C, --config FILE Load protobuf config file ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.