* Package name : nsjail
Version : 2.9
Upstream Author : Robert Swiecki <robert@swiecki.net>
* URL : https://nsjail.dev/
* License : Apache-2.0
Programming Lang: C++
Description : A light-weight process isolation tool using
namespaces and seccomp-bpf syscall filters

Long description:

NsJail is a process isolation tool for Linux. It utilizes the Linux
namespace subsystem, resource limits, and the seccomp-bpf syscall
filters of the Linux kernel.

It can help you with (among other things):
- Isolating networking services (e.g. web, time, DNS), by isolating
them from the rest of the OS
- Hosting computer security challenges (so-called CTFs)
- Containing invasive syscall-level OS fuzzers

- - - - - - -

- Why is this package useful/relevant?

NsJail is a useful stand-alone tool to quickly isolate Linux processes.
Among other things, it is used inside of Docker containers to provide
an additional security layer that is easier to configure and more fine-
grained than what Docker allows out of the box.

- Is it a dependency for another package?

No, NsJail is a stand-alone tool.

- Do you use it?

I personally use it, but more importantly, it is used inside of Google
to secure real production workloads.
Capture-the-Flag competitions organized by Google also often use it.
Google's Certificate Authority runs binaries inside of NsJail as part
of its operation.

- If there are other packages providing similar functionality,
how does it compare?

There are tools with overlapping functionality in Debian:
* schroot uses the chroot() system call and is not a security tool
* fakeroot uses a preloaded library to fake root access
* Docker has some security functionality built-in, but is not as
fine-grained and harder to configure. It's also a full container
engine, which NsJail does not attempt to be.

- How do you plan to maintain it? Inside a packaging team?

I want to maintain it as part of the "pkg-security" team.

Howdy, I created a package for `nsjail`, then noticed it's already been
worked on, but this bug has been open a while. There any way I can help?
Or I'm happy to take over as well.

Thanks.

Hi!

* Christian Blichmann [Fri Jul 03, 2020 at 04:06:42PM +0200]:
[...]

A friend of mine asked me about the Debian packaging of nsjail and I
stumbled upon this ITP, and also noticed that we've got
https://salsa.debian.org/pkg-security-team/nsjail already.
Is there anything missing yet for uploading it towards Debian? :)

Thanks!

regards
-mika-

Hi Michael,

Well, I got reasonably far in my first go and the packaging itself was
mostly done. However, IIRC, I had some trouble with nsjail's Kafel
dependency -- it's in the repo as a sub-module and I'm unsure how to
properly generate the source tarball for this. Packaging Kafel separately
IMO makes no sense, as nsjail is literally the only project using this.

There have been several releases since I last touched the packaging, so
that will need some updating, too.

I cannot promise anything, but I'll try to look into this a bit more next
week.


Cheers,

Hi Christian,

* Christian Blichmann [Fri Jun 10, 2022 at 09:26:16AM +0200]:

Ah I see, thanks for the information.

Great, thanks for your response, appreciated!

regards
-mika-

I'd like to resurrect this effort to package nsjail. I've started by
packaging kafel which nsjail depends on and I'm looking for a sponsor. I
have nsjail ready to submit as well.

RFS: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110378
ITP: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110377
Package: https://mentors.debian.net/package/kafel/