this post was submitted on 30 Aug 2024
3 points (100.0% liked)

Linux

48212 readers
783 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

I recently learned about nsjail, a utility to sandbox applications or provide workload isolation.

It seems to be lighter weight than firejail and possibly better suited for server applications.

Has anyone used this? What's your experience with it? I'm curious about using it for my web server applications as an additional layer of Dr hotty.

top 9 comments
sorted by: hot top controversial new old
[–] [email protected] 2 points 2 months ago (1 children)

server applications

Note that systemd can use most if not all of the isolation features nsjail lists in the readme already for services it manages.

[–] [email protected] 2 points 2 months ago (1 children)

I've been curious about that. I use openRC, so I don't have access to systemd. Not out of any systemd conspiracies, I just liked simplicity of openRC.

[–] [email protected] 1 points 2 months ago

Ah, yeah openrc is nice and I used it for a long time with gentoo, but it does lack a lot of the useful features like this one.

[–] [email protected] 1 points 2 months ago (1 children)

I've never heard of nsjail, so I wouldn't know. But there's also bubblewrap which is used by Flatpak for sandboxing. It's very small, although a bit annoying to use.

[–] [email protected] 2 points 2 months ago

Bubblewrap seemed much less user friendly than nsjail, I assume because it is intended to be a lower level application used by libraries like flatpak. It is also more tailored to desktop applications and GUIs, whereas nsjail is focused on server apps (though I did see the author mentioning adding better support for GUIs years ago, but I did not check if that happened).

[–] [email protected] 1 points 2 months ago* (last edited 2 months ago)

Afaik RedBot (oss, extensible discord bot in Python) used it to allow people to run python scripts directly from discord without access to the file system, network and to limit the run time.

In my book I've had categorised it as a lower-level tool for security and sandboxing, a lot lower level then firejail is.

[–] [email protected] 1 points 2 months ago (1 children)

No and to be honest without a clear comparison with the advantages AND disadvantages with the most popular solutions, e.g containers with implementations like Docker or Podman, I don't think I ever will.

Obviously it's nice to have alternatives which I bet can be interesting in specific use cases but without a way to understand in which specific situations it would be worth investing to learn the tooling, principles, etc then I would, naively, stay with the status quo.

TL;DR: any comparison vs Docker?

[–] [email protected] 1 points 2 months ago (1 children)

I'm not an expert, but I'll try my best to compare it to docker:

You can think of nsjail as a lightweight frontend for kernel isolation features like namespaces, sys call filtering, and the like.

Docker is also a frontend for some of those kernel features, but its original goal was not security isolation, but rather isolation for the sake of reproducibility. This isn't to say that docker isn't secure, they did add those features eventually, but they are less intuitive to change and mess with, and you have some added complexities. Whereas nsjail stays as close to the system as possible. As far as I'm aware, there's no concept of an image, and its not necessary for every app to have an entire OS user land with it (although you can if you want to).

If your goal is security, docker's defaults are reasonably good, but also made to not get in the way of most applications. This might be good enough for many. However, docker's security is more difficult to customize and less straightforward if you need to change it.

If your goal is security, and more so than docker's defaults, nsjail gets you there muchhh more easily. Whether nsjail has more security features than docker, I don't know.

[–] [email protected] 2 points 2 months ago

Thanks a lot for taking the time to explain.

I did notice CTF on the description so I imagine "escaping" it is "harder" than with containers. I recently participated to SplinterCon which included a "block-a-thon" (cf day 2 of https://splintercon.net/brussels/ ) to try to escape a limited environment, approximately simulating the limited Internet access of some political regime. It might be interesting in that context too.

Could also be interesting then to distinguish which defaults are changed compared to Docker ones or examples for which nsjail is currently preferred.