Package: wnpp Severity: wishlist Owner: Christian Blichmann <mail@blichmann.eu> * Package name : nsjail Version : 2.9 Upstream Author : Robert Swiecki <robert@swiecki.net> * URL : https://nsjail.dev/ * License : Apache-2.0 Programming Lang: C++ Description : A light-weight process isolation tool using namespaces and seccomp-bpf syscall filters Long description: NsJail is a process isolation tool for Linux. It utilizes the Linux namespace subsystem, resource limits, and the seccomp-bpf syscall filters of the Linux kernel. It can help you with (among other things): - Isolating networking services (e.g. web, time, DNS), by isolating them from the rest of the OS - Hosting computer security challenges (so-called CTFs) - Containing invasive syscall-level OS fuzzers - - - - - - - - Why is this package useful/relevant? NsJail is a useful stand-alone tool to quickly isolate Linux processes. Among other things, it is used inside of Docker containers to provide an additional security layer that is easier to configure and more fine- grained than what Docker allows out of the box. - Is it a dependency for another package? No, NsJail is a stand-alone tool. - Do you use it? I personally use it, but more importantly, it is used inside of Google to secure real production workloads. Capture-the-Flag competitions organized by Google also often use it. Google's Certificate Authority runs binaries inside of NsJail as part of its operation. - If there are other packages providing similar functionality, how does it compare? There are tools with overlapping functionality in Debian: * schroot uses the chroot() system call and is not a security tool * fakeroot uses a preloaded library to fake root access * Docker has some security functionality built-in, but is not as fine-grained and harder to configure. It's also a full container engine, which NsJail does not attempt to be. - How do you plan to maintain it? Inside a packaging team? I want to maintain it as part of the "pkg-security" team.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature