I don't see anything to suggest that nsjail has the main feature of bubblewrap: It is safe to make bubblewrap setuid-root, and therefore bubblewrap is a safe way for unprivileged users to use containers. (arguably the only safe way at the moment)
Without nsjail making that guarantee, nsjail is just yet another command line interface to namespaces.
This tool is lighter-weight than firejail. nsjail seems to be a thin abstraction over Linux namespaces, while firejail contains profiles for common desktop applications and some X hackery to enable jailing of GUI programs.
Is this what I should use if I want to intercept filesystem calls (and rewrite them, or generate on the fly the file that is about to be accessed)? Something else I should look into for this purpose?
This will make /etc/passwd empty, but nsjail doesn't rewrite syscalls. In order to do that, you'd have to use SECCOMP_RET_TRACE (TRACE(number) in kafel config lang), and then add some C code to nsjail which will use ptrace() to intercept and rewrite your syscall. It's possible, just not implemented, because it didn't seem like something that's required by users.
Re kernel versions: Depending on when CLONE_NEWUSER and seccomp-bpf were added to the kernel for different CPU architectures. For x86-64 it was probably around 3.16, for some others it might be even 4.3 (e.g. ppc64). It might even work with earlier versions if you use --disable_clone_newuser and avoid using seccomp-bpf filters.
Re 'proot'. I've never used it (it seems to be a configurator for the mount namespace), but nsjail seems much more advanced: cgroups support, seccomp-bpf via configuration language support, and a few more features (configs, net).
[+] [-] jeblair|8 years ago|reply
[+] [-] catern|8 years ago|reply
Without nsjail making that guarantee, nsjail is just yet another command line interface to namespaces.
[+] [-] woahhvicky|8 years ago|reply
[+] [-] moosingin3space|8 years ago|reply
[+] [-] Bromskloss|8 years ago|reply
[+] [-] jagger11|8 years ago|reply
Not exactly, you can technically overwrite a file with bind mounts, e.g. use
nsjail --chroot / -R /dev/null:/etc/passwd -- /bin/sh -i
This will make /etc/passwd empty, but nsjail doesn't rewrite syscalls. In order to do that, you'd have to use SECCOMP_RET_TRACE (TRACE(number) in kafel config lang), and then add some C code to nsjail which will use ptrace() to intercept and rewrite your syscall. It's possible, just not implemented, because it didn't seem like something that's required by users.
[+] [-] wmf|8 years ago|reply
[+] [-] therein|8 years ago|reply
We use proot in our build pipeline and it would be interesting to look into alternatives.
[+] [-] jagger11|8 years ago|reply
Re 'proot'. I've never used it (it seems to be a configurator for the mount namespace), but nsjail seems much more advanced: cgroups support, seccomp-bpf via configuration language support, and a few more features (configs, net).
[+] [-] sitkack|8 years ago|reply
[+] [-] TheDong|8 years ago|reply
Are there any other notable differences?
[+] [-] jagger11|8 years ago|reply
- ability to use config files (in nsjail in protobuf format)
- 3 operational modes: one of them allows to listen on a TCP port and run processes on-demand (inetd-style)
- support for cgroups (pid and mem limiting), here rlimits are not enough
- more expressive seccomp-bpf rules
[+] [-] _Marak_|8 years ago|reply
Thank you authors! Really appreciate your work on this project.
[+] [-] andystanton|8 years ago|reply