Bug#964199: ITP: nsjail -- A light-weight process isolation tool using namespaces and seccomp-bpf syscall filters

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#964199: ITP: nsjail -- A light-weight process isolation tool using namespaces and seccomp-bpf syscall filters
From: Christian Blichmann <cblichmann@google.com>
Date: Fri, 3 Jul 2020 16:06:42 +0200
Message-id: <[🔎] CALgr0uQD7upEJR9E=PfE08EFJ6boXb6xU0cZ1Z8w0FUJje2acQ@mail.gmail.com>
Reply-to: Christian Blichmann <cblichmann@google.com>, 964199@bugs.debian.org

Package: wnpp
Severity: wishlist
Owner: Christian Blichmann <mail@blichmann.eu>

* Package name : nsjail
Version : 2.9
Upstream Author : Robert Swiecki <robert@swiecki.net>
* URL : https://nsjail.dev/
* License : Apache-2.0
Programming Lang: C++
Description : A light-weight process isolation tool using
namespaces and seccomp-bpf syscall filters

Long description:

NsJail is a process isolation tool for Linux. It utilizes the Linux
namespace subsystem, resource limits, and the seccomp-bpf syscall
filters of the Linux kernel.

It can help you with (among other things):
- Isolating networking services (e.g. web, time, DNS), by isolating
them from the rest of the OS
- Hosting computer security challenges (so-called CTFs)
- Containing invasive syscall-level OS fuzzers

- - - - - - -

- Why is this package useful/relevant?

NsJail is a useful stand-alone tool to quickly isolate Linux processes.
Among other things, it is used inside of Docker containers to provide
an additional security layer that is easier to configure and more fine-
grained than what Docker allows out of the box.

- Is it a dependency for another package?

No, NsJail is a stand-alone tool.

- Do you use it?

I personally use it, but more importantly, it is used inside of Google
to secure real production workloads.
Capture-the-Flag competitions organized by Google also often use it.
Google's Certificate Authority runs binaries inside of NsJail as part
of its operation.

- If there are other packages providing similar functionality,
how does it compare?

There are tools with overlapping functionality in Debian:
* schroot uses the chroot() system call and is not a security tool
* fakeroot uses a preloaded library to fake root access
* Docker has some security functionality built-in, but is not as
fine-grained and harder to configure. It's also a full container
engine, which NsJail does not attempt to be.

- How do you plan to maintain it? Inside a packaging team?

I want to maintain it as part of the "pkg-security" team.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply to:

Prev by Date: Processed: ITP: rosa -- Removal of Spurious Antisense in biological RNA sequences
Next by Date: Bug#916333: marked as done (ITP: dav1d -- fast and small AV1 video stream decoder)
Previous by thread: Processed: ITP: rosa -- Removal of Spurious Antisense in biological RNA sequences
Next by thread: Bug#916333: marked as done (ITP: dav1d -- fast and small AV1 video stream decoder)
Index(es):
- Date
- Thread