search

google / nsjail

A lightweight process isolation tool that utilizes Linux namespaces, cgroups, rlimits and seccomp-bpf syscall filters, leveraging the Kafel BPF language for enhanced security.
https://nsjail.dev
Apache License 2.0
2.96k stars 275 forks source link

Nsjail doesn't work for new Ubuntu24/Docker27 versions #238

Closed MohamedKarrab closed 2 weeks ago

MohamedKarrab commented 3 weeks ago

Hello, I have been using nsjail with Docker fine for months on my ubuntu 

Linux 6.2.0-39-generic #40-Ubuntu SMP PREEMPT_DYNAMIC Tue Nov 14 14:18:00 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux,

Distributor ID: Ubuntu
Description:    Ubuntu 23.04
Release:        23.04
Codename:       lunar

Docker version 25.0.2, build 29cf629

But when I tried to use it in this machine, it started bugging and is not working anymore

Linux  6.8.0-1013-azure #15-Ubuntu SMP Thu Aug  8 18:40:40 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

Distributor ID: Ubuntu
Description:    Ubuntu 24.04 LTS
Release:        24.04
Codename:       noble

Docker version 27.2.0, build 3ab4256
 ✔ Container siclodb  Recreated                                                                                                                                                         0.8s
Attaching to siclodb
siclodb  | [I][2024-10-11T20:51:02+0000] Mode: STANDALONE_ONCE
siclodb  | [I][2024-10-11T20:51:02+0000] Jail parameters: hostname:'NSJAIL', chroot:'', process:'/home/ctf/entrypoint.sh', bind:[::]:0, max_conns:0, max_conns_per_ip:0, time_limit:0, personality:0, daemonize:false, clone_newnet:false, clone_newuser:true, clone_newns:true, clone_newpid:true, clone_newipc:true, clone_newuts:true, clone_newcgroup:true, clone_newtime:false, keep_caps:false, disable_no_new_privs:false, max_cpus:0
siclodb  | [I][2024-10-11T20:51:02+0000] Mount: '/' flags:MS_RDONLY type:'tmpfs' options:'' dir:true
siclodb  | [I][2024-10-11T20:51:02+0000] Mount: '/chroot' -> '/' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
siclodb  | [I][2024-10-11T20:51:02+0000] Mount: '/dev' -> '/dev' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
siclodb  | [I][2024-10-11T20:51:02+0000] Mount: '/dev/null' -> '/dev/null' flags:MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:false
siclodb  | [I][2024-10-11T20:51:02+0000] Mount: '/tmp' flags: type:'tmpfs' options:'' dir:true
siclodb  | [I][2024-10-11T20:51:02+0000] Mount: '/proc' flags:MS_RDONLY type:'proc' options:'' dir:true
siclodb  | [I][2024-10-11T20:51:02+0000] Uid map: inside_uid:1337 outside_uid:1337 count:1 newuidmap:false
siclodb  | [I][2024-10-11T20:51:02+0000] Gid map: inside_gid:1337 outside_gid:1337 count:1 newgidmap:false
siclodb  | [E][2024-10-11T20:51:02+0000][1] initCloneNs():391 mount('/', '/', NULL, MS_REC|MS_PRIVATE, NULL): Permission denied
siclodb  | [W][2024-10-11T20:51:02+0000][1] runChild():505 Received error message from the child process before it has been executed
siclodb  | [E][2024-10-11T20:51:02+0000][1] standaloneMode():275 Couldn't launch the child process
siclodb  | [F][2024-10-11T20:51:02+0000][1] runChild():485 Launching child process failed
siclodb exited with code 255
happyCoder92 commented 2 weeks ago

See #236