Me too, for me the ease of use is rather important. NSJail is very easy to use, I am not sure which ones I tried when looking for these tools but some of them were an absolute pain to get going.
Edit: funnily, chatgpt 03-mini tells me nsjail is the second hardest to use (first = systemd) of these...
It's still a reasonable comparison though. The seccomp-bpf is part of nsjail is achieving the same thing, one way to look at it is that Landlock/pledge are just a better implementation for the same approximate feature.
I don't really find it reasonable, landlock type functionality is a tiny subset of what namespace based sandboxing offers. It's like comparing a scanner to authenticate ID cards against a fortified house.
A few decades back we had the ability to cryogenically freeze processes, save them to storage, move the bins to another system, and defrost them to be run again. This was a great feature that I had hoped would make its way into mainstream kernels, but it seems to have disappeared off the face of the earth.
I wonder if the expansion of process isolation tooling will ever lead us back to this situation again, anyone know? It seems to me that strict isolation would be a vital rudimentary requirement for cryofreezing processes...
it'd be interesting to see a comparison of these -- the building blocks are (mostly) the same, but the interfaces differ in interesting ways:
- nsjail
- firejail
- bubblewrap
- runc
etc.
As a bubblewrap user, beware https://github.com/containers/bubblewrap/pull/586 still missing. The usual ^C doesn't work with your sandboxed stuff, very annoying.
A cursory look at NSjail tells me its filesystem stuff is less granular than bwrap's bind mounting.
Firejail can't handle : in some paths (at all, no escaping provided) which made me dump it.
Me too, for me the ease of use is rather important. NSJail is very easy to use, I am not sure which ones I tried when looking for these tools but some of them were an absolute pain to get going.
Edit: funnily, chatgpt 03-mini tells me nsjail is the second hardest to use (first = systemd) of these...
And jailer from firecracker and systemd itself which has some similar capabilities
And pledge(): https://justine.lol/pledge/
pledge is the openbsd version of landlock, a pretty different category from the other namespace based solutions listed.
It's still a reasonable comparison though. The seccomp-bpf is part of nsjail is achieving the same thing, one way to look at it is that Landlock/pledge are just a better implementation for the same approximate feature.
I don't really find it reasonable, landlock type functionality is a tiny subset of what namespace based sandboxing offers. It's like comparing a scanner to authenticate ID cards against a fortified house.
Oh yeah I was just talking specifically about the seccomp-bpf bit. It's not comparable to nsjail as a whole.
So this is like jails for BSD?
Is there an equivalent for MacOS ?
Isn't macos already isolating each app?
Isn't that for graphical apps (.app) only? How do I sandbox ffmpeg I installed via MacPorts, for example?
A few decades back we had the ability to cryogenically freeze processes, save them to storage, move the bins to another system, and defrost them to be run again. This was a great feature that I had hoped would make its way into mainstream kernels, but it seems to have disappeared off the face of the earth.
I wonder if the expansion of process isolation tooling will ever lead us back to this situation again, anyone know? It seems to me that strict isolation would be a vital rudimentary requirement for cryofreezing processes...
You might be looking for CRIU (https://criu.org/) - it works perfectly on the current kernel.
IIUC this even has logic to reconstitute TCP connections - https://criu.org/TCP_connection
A bit of tangent, but reminds me of the Deep Freeze Windows app: https://www.faronics.com/products/deep-freeze
I wonder if a similar tool exists for Linux.
Guest user account??
Yeah there is some capability for this, for example https://criu.org