I recently learned about nsjail, a utility to sandbox applications or provide workload isolation.

It seems to be lighter weight than firejail and possibly better suited for server applications.

Has anyone used this? What’s your experience with it? I’m curious about using it for my web server applications as an additional layer of Dr hotty.

  • matcha_addictOP
    link
    fedilink
    English
    arrow-up
    4
    ·
    3 months ago

    I’m not an expert, but I’ll try my best to compare it to docker:

    You can think of nsjail as a lightweight frontend for kernel isolation features like namespaces, sys call filtering, and the like.

    Docker is also a frontend for some of those kernel features, but its original goal was not security isolation, but rather isolation for the sake of reproducibility. This isn’t to say that docker isn’t secure, they did add those features eventually, but they are less intuitive to change and mess with, and you have some added complexities. Whereas nsjail stays as close to the system as possible. As far as I’m aware, there’s no concept of an image, and its not necessary for every app to have an entire OS user land with it (although you can if you want to).

    If your goal is security, docker’s defaults are reasonably good, but also made to not get in the way of most applications. This might be good enough for many. However, docker’s security is more difficult to customize and less straightforward if you need to change it.

    If your goal is security, and more so than docker’s defaults, nsjail gets you there muchhh more easily. Whether nsjail has more security features than docker, I don’t know.

    • utopiah@lemmy.ml
      link
      fedilink
      arrow-up
      3
      ·
      3 months ago

      Thanks a lot for taking the time to explain.

      I did notice CTF on the description so I imagine “escaping” it is “harder” than with containers. I recently participated to SplinterCon which included a “block-a-thon” (cf day 2 of https://splintercon.net/brussels/ ) to try to escape a limited environment, approximately simulating the limited Internet access of some political regime. It might be interesting in that context too.

      Could also be interesting then to distinguish which defaults are changed compared to Docker ones or examples for which nsjail is currently preferred.