Simple user space utility to jail processes; main purpose of this is to have a fair sense of safety when running not fully trusted binaries on linux.
Just download this repository and invoke make (make release for optimized build). This project does not depend on any library, only a recent kernel and compiler (c++11) are needed.
./emajail --help
[3058] 2017-07-23 19:02:03.832 (INFO) Starting emajail ...
Usage: ./emajail [options] cmd [arg...]
Create a child process in a sandboxed environment
without modifying any existing file (using overlayFS)
Options can be:
--empty-home Sets up an empty /home on 'tmpfs'
--empty-proc Sets up an empty /proc on 'proc'. Please note
this will set the flag CLONE_NEWPID and implies
software may not work (PulseAudio, ...)
-h,--help Print this screen and quit
-j,--jail Quick combination as specifying the three options
--empty-home, --empty-proc and -s
-o,--overlay-dir path Use a fixed path for overlayFS
(otherwise on /dev/shm/emajail_XXXXXX)
--skip-dirs Print directories to not overlay and quit
--silent Do not print any logline
-s,--strict Add IPC isolation level and create a new PID group; this
option might imply some software to not work or
fail at unexpected points, but increases security
levels greatly
This will spawn a process and create a new file which will be visible in just current session:
./emajail vim ./wontstay.txt
This will instead spawn a very stand alone process:
./emajail -j glxgears
Wanted to use firejail but it wasn't straightforward - I wanted to have a full read-only filesystem, but wasn't that easy with that software: so I decided to write somethign simple to just do the job.
It is much less - this software doesn't pretend to be such a comprehensive solution as firejail, but is definitely stricter than it and lets me/us explore with Linux overlay-fs and newspaces in a very simple way.
This is open source, you can do what you want under the GPL3 - also send me pull requests!
Let's discuss - but also, you have the code, go on and have fun, then perhaps raise a pull request!
emajail (C) 2017 E. Oriani, ema <AT> fastwebnet <DOT> it
This file is part of emajail.
emajail is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
emajail is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with emajail. If not, see <http://www.gnu.org/licenses/>.
Thanks to Linux for being open source and to:
- firejail for not working as expected, being complex and thus inspiring me to write a simpler applet
- overlay-fs For making this happen
- Linux namespaces for making this happen (x2)