What does HackerNews think of nsjail?

A light-weight process isolation tool, making use of Linux namespaces and seccomp-bpf syscall filters (with help of the kafel bpf language)

Language: C++

#72 in Linux

#38 in Security

Firejail: Light, featureful and zero-dependency security sandbox for Linux | Jul 2023

There is also https://github.com/google/nsjail

Notes on Running Containers with Bubblewrap | Jun 2022

Google's nsjail (https://github.com/google/nsjail) has a nice "inetd style" mode where it can launch a sandboxed process in response to a TCP connection for similar use cases to this (and is relatively quick to fire up).

Linux sandboxing improvements in Firefox 60 | May 2018

Expand Context ↕

Good to read about that you're feeling similar and thank you for the pointer, going to check it out.

Sadly this thread never gained traction, but I'd love to read more discussion about this: https://news.ycombinator.com/item?id=13838596

(Link for convenience for others) https://github.com/google/nsjail

Sandboxing Landscape | Apr 2017

Here's your cool, lightweight and easily configurable sandbox - https://github.com/google/nsjail

Ask HN: Best Linux sandbox? | Aug 2015

You should try using nsjail, which makes using namespaces and seccomp-bpf easy. It's very simple, it's made to wrap existing programs with a single command line invocation. Done and done.

https://github.com/google/nsjail