Skip to content
/ jail Public
forked from redpwn/jail

An nsjail Docker image for CTF pwnables. Easily create secure, isolated inetd-style services.

License

BSD-3-Clause license
0 stars 14 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

CSeCIITB/jail

BranchesTags
 
 

Repository files navigation

jail

An nsjail Docker image for CTF pwnables. Easily create secure, isolated inetd-style services.

Features

  • Efficiently start a new container-like jail for each incoming TCP connection
  • Route each connection to the jail's stdio
  • Enforce per-connection CPU/memory/PID/disk resource limits
  • Require a proof of work for each connection

Quick Start

In examples/shell, run:

sysctl -w kernel.unprivileged_userns_clone=1 # debian <= 10 only
docker-compose up

To connect, run:

nc 127.0.0.1 5000

For an example of installing packages inside the jail, see examples/cowsay.

For a Python example with environment configuration, see examples/python.

Proof of Work

To require a proof of work from clients for every connection, set JAIL_POW to a nonzero difficulty value. Each difficulty increase of 1500 requires approximately 1 second of CPU time. The proof of work system is designed to not be parallelizable.

The script pwn.red/pow downloads, caches, and runs the solver.

Runtime Reference

The container listens on JAIL_PORT (default 5000) for incoming TCP connections.

Jail requires some container security options. The example docker-compose.yml specifies these options.

  • AppArmor: unconfined
  • seccomp: unconfined
  • Capabilities: chown, setuid, setgid, sys_admin

Configuration Reference

/srv in the container is mounted to / in each jail. Inside each jail, /app/run is executed with a working directory of /app.

To configure, use ENV. To remove a limit, set its value to 0.

Name Default Description
JAIL_TIME 20 Maximum wall seconds per connection
JAIL_CONNS 0 Maximum concurrent connections across all IPs
JAIL_CONNS_PER_IP 0 Maximum concurrent connections for each IP
JAIL_PIDS 5 Maximum PIDs per connection
JAIL_MEM 5M Maximum memory per connection
JAIL_CPU 100 Maximum CPU milliseconds per wall second per connection
JAIL_POW 0 Proof of work difficulty
JAIL_PORT 5000 Port number to bind to
JAIL_DEV null,zero,urandom Device files available in /dev separated by ,
JAIL_SYSCALLS (none) Additional allowed syscall names separated by ,
JAIL_TMP_SIZE 0 Maximum size of writable /tmp directory in each jail

If it exists, /jail/hook.sh is executed before the jail starts. Use this script to configure nsjail options or the execution environment.

Files in JAIL_DEV are only available if /srv/dev exists.

About

An nsjail Docker image for CTF pwnables. Easily create secure, isolated inetd-style services.

Resources

Readme

License

BSD-3-Clause license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

7 tags

Packages

No packages published

Languages

  • Go 95.5%
  • Dockerfile 4.5%