Skip to content
/ jail Public
forked from redpwn/jail

An nsjail Docker image for CTF pwnables

License

BSD-3-Clause license
0 stars 20 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

CMU-Math/jail

BranchesTags
 
 

Repository files navigation

redpwn/jail

An nsjail Docker image for CTF pwnables

Quick Start

In examples/shell, run:

sysctl -w kernel.unprivileged_userns_clone=1 # debian <= 10 only
docker-compose up

To connect to the jail, run:

nc 127.0.0.1 5000

For an example of installing packages inside the jail, see examples/cowsay.

For a Python example with environment configuration, see examples/python.

Proof of Work

To require a proof of work from clients for every connection, set JAIL_POW to a nonzero difficulty value. Each difficulty increase of 1500 requires approximately 1 second of CPU time. The proof of work system is designed to not be parallelizable.

For convenience, the proof of work system uses the script pwn.red/pow, which downloads, caches, and runs the solver.

Runtime Reference

The container listens on JAIL_PORT (default 5000) for incoming TCP connections.

Jails require some container security options. The example docker-compose.yml specifies these options.

  • AppArmor: unconfined
  • seccomp: unconfined
  • Capabilities: chown, setuid, setgid, sys_admin

Jails are not compatible with SELinux.

Configuration Reference

/srv outside the jail is mounted to / inside the jail. Inside each jail, /app/run is executed with a working directory of /app.

To configure, use ENV. To remove a limit, set its value to 0.

Name Default Description
JAIL_TIME 20 Maximum wall seconds per connection
JAIL_CONNS 0 Maximum concurrent connections across all IPs
JAIL_CONNS_PER_IP 0 Maximum concurrent connections for each IP
JAIL_PIDS 5 Maximum PIDs per connection
JAIL_MEM 5M Maximum memory per connection
JAIL_CPU 100 Maximum CPU milliseconds per wall second per connection
JAIL_POW 0 Proof of work difficulty
JAIL_PORT 5000 Port number to bind to
JAIL_SYSCALLS (none) Additional allowed syscall names separated by ,
JAIL_TMP_SIZE 0 Maximum size of writable /tmp directory

If it exists, /jail/hook.sh is executed before the jail starts. Use this script to configure nsjail options or the execution environment.

If /srv/dev exists, /dev/null, /dev/zero, and /dev/urandom are available inside the jail.

About

An nsjail Docker image for CTF pwnables

Resources

Readme

License

BSD-3-Clause license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

5 tags

Packages

No packages published

Languages

  • Go 96.0%
  • Dockerfile 4.0%