Nsjail Versions Save

A lightweight process isolation tool that utilizes Linux namespaces, cgroups, rlimits and seccomp-bpf syscall filters, leveraging the Kafel BPF language for enhanced security.

3.4

7 months ago
  • Improved cgroups2 support
  • Improved cgroups2 + docker interoperability
  • New configs: hexchat, telegram
  • Better support for clone3
  • New signals displayed: SIGPWR
  • Support for nvim+.clangd
  • Improved .clang-format rules
  • Print help to stdout if -h | --help was used

3.3

1 year ago
  • Build fix: Unset LDFLAGS for kafel
  • Setup cgroup.subtree_control controllers when necessary in cgroupsv2

3.2

1 year ago
  • switch to C++14
  • various example configs improvements
  • using atomics in signal handlers
  • improve debug logging
  • use only CPUs from current affinity set
  • add option to forward fatal signals to the child

3.1

2 years ago
  • config proto fields remunerated
  • various compilation/build error fixes
  • process is killed in listen mode once tcp connection is closed
  • Support for newly added Linux capabilities (CAP_BPF, CAP_PERFMON, CAP_CHECKPOINT_RESTORE)
  • Added global connection limit for listen mode
  • Added support for rlimit_mlock, rlimit_rtpr, rlimit_msgq
  • Added switch_root option useful for embedded systems that use rootfs
  • Fix setting CPU CFS limit
  • Allow mount options to contain colons
  • Added support for setting cgroup memory.memsw.limit_in_bytes
  • Added option to disable TSC

3.0

3 years ago
  • the TCP proxy mode a socketpair proxy now
  • fixes for some configs/ (e.g. for xchat and for znc)
  • fixes to the Dockerfile and to the dockerpush.yml
  • new clone option recognized (CLONE_NEWPID)
  • fixed max_conns_per_ip
  • clarification of units for cgroups_mem_max

2.9

4 years ago
  • even more C++-isms (e.g. RETURN_ON_FAILURE)
  • improved EINTR handling
  • improved configs for some tools
  • changed default RLIMIT_AS to 4GiB
  • rudimentary support for cgroups2
  • added option to ignore rlimits
  • fixed setcwd() w/o CLONE_NEWNS

2.8

5 years ago
  • even more C++-isms
  • clearer main process loop
  • refactored cgroup setting code
  • ability to specify noexec/nodev/nosuid in mounts
  • updated kafel
  • added --macvlan_vs_ma option
  • better configs/
  • changed behavior of --env - empty var means passing it from parent

2.7

5 years ago
  • More C++'isms across the code
  • Removed 'tmpfs_size', '-m none:dest:tmpfs:size=....' can be used for that
  • Added support for SECCOMP_FILTER_FLAG_LOG
  • Save and restore console state before/after running the subprocesses
  • Make use of newer kafel version
  • '--iface_own' can be used to put some interface into a jail
  • Updated some configs/ (e.g. for Firefox)
  • '-s' can be used to specify symlinks via the cmd-line

2.6

6 years ago
  • Various smaller bugfixes
  • Updated man page
  • Newer kafel with support for i386
  • Updated Dockerfile

2.5

6 years ago
  • Convert code to C++ to simplify sys/queue -> vector operations
  • Make it compile under gcc/g++-4.8
  • Add -m option for arbitrary mounts
  • Create BPF policy once only