Skip to content

@robertswiecki robertswiecki released this Sep 6, 2019 · 15 commits to master since this release

  • even more C++-isms (e.g. RETURN_ON_FAILURE)
  • improved EINTR handling
  • improved configs for some tools
  • changed default RLIMIT_AS to 4GiB
  • rudimentary support for cgroups2
  • added option to ignore rlimits
  • fixed setcwd() w/o CLONE_NEWNS
Assets 2

@robertswiecki robertswiecki released this Nov 19, 2018 · 99 commits to master since this release

  • even more C++-isms
  • clearer main process loop
  • refactored cgroup setting code
  • ability to specify noexec/nodev/nosuid in mounts
  • updated kafel
  • added --macvlan_vs_ma option
  • better configs/
  • changed behavior of --env - empty var means passing it from parent
Assets 2

@robertswiecki robertswiecki released this Jun 12, 2018 · 143 commits to master since this release

  • More C++'isms across the code
  • Removed 'tmpfs_size', '-m none:dest:tmpfs:size=....' can be used for that
  • Added support for SECCOMP_FILTER_FLAG_LOG
  • Save and restore console state before/after running the subprocesses
  • Make use of newer kafel version
  • '--iface_own' can be used to put some interface into a jail
  • Updated some configs/ (e.g. for Firefox)
  • '-s' can be used to specify symlinks via the cmd-line
Assets 2

@robertswiecki robertswiecki released this Apr 19, 2018 · 198 commits to master since this release

  • Various smaller bugfixes
  • Updated man page
  • Newer kafel with support for i386
  • Updated Dockerfile
Assets 2

@robertswiecki robertswiecki released this Feb 16, 2018 · 219 commits to master since this release

  • Convert code to C++ to simplify sys/queue -> vector operations
  • Make it compile under gcc/g++-4.8
  • Add -m option for arbitrary mounts
  • Create BPF policy once only
Assets 2

@robertswiecki robertswiecki released this Jan 31, 2018 · 299 commits to master since this release

  • open kafel file in each kafel subproc individually to avoid file posiiton sharing
  • more and better examples in configs/
Assets 2

@robertswiecki robertswiecki released this Dec 5, 2017 · 315 commits to master since this release

  • fixed --max_conns_per_ip
  • made it compilable under OpenWRT
  • removed lingering -fblocks code
  • better config example for ImageMagick
  • fixed check for non-existent group- and user-names
Assets 2

@robertswiecki robertswiecki released this Oct 31, 2017 · 327 commits to master since this release

  • Works correctly with some archs which need aligned stack for clone (e.g. aarch64)
  • Enable CLONE_NEWCGROUP by default (can be disabled)
  • Added CTRL+\ (SIGQUIT) handler to show all connections
  • Create new dirs in /run/user/ first (instead of /tmp)
  • Unblock all signals prior to execve
  • Don't start new ns-init id CLONE_NEWPID is not requested
  • Support cgroup net_cls subsystem
  • Mount: better statvfs -> mount flags mapping
Assets 2

@robertswiecki robertswiecki released this Oct 19, 2017 · 367 commits to master since this release

  • Works correctly with some 32bit platforms that use setres(u|g)id32
  • Supports executing binaries through execveat
  • New config example for busybox which demonstrates use of execveat
Assets 2

@robertswiecki robertswiecki released this Oct 16, 2017 · 383 commits to master since this release

Fixes a crash in <= nsjail-1.9 where a stack variable was incorrectly marked as 'static', overflowing an array after a couple hundred of executions of a single program (e.g. in -Ml and -Mr modes)

Assets 2
You can’t perform that action at this time.