-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathREADME
More file actions
35 lines (30 loc) · 1.6 KB
/
README
File metadata and controls
35 lines (30 loc) · 1.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
appjail is a tool that runs an application in an isolated environment, or jail.
It is designed to be executed by an unprivileged user. When called, it sets up
a new IPC, mount and PID namespace. It then unmounts the /home, /var/tmp and
/tmp directories and replaces them with private ones. The jail further gets its
private POSIX shared memory space (/dev/shm) and private set of pseudo TTYs.
Inside the jail, it is impossible to raise privileges using setuid binaries or
file capabilities.
appjail requires a kernel with the following options enabled:
CONFIG_NAMESPACES=y
CONFIG_IPC_NS=y
CONFIG_PID_NS=y
It also needs a file system with support for file capabilities.
To compile and install appjail, run the following commands:
$ ./autogen.sh
$ ./configure
$ make
Then, as root, run
# make install
# setcap cap_sys_admin,cap_chown,cap_net_admin=p /usr/local/bin/appjail
If you don't need the -N option, run instead
# setcap cap_sys_admin,cap_chown=p /usr/local/bin/appjail
Usage examples:
* Run skype. Create ~/jailhomes/skype and execute
$ appjail -X --x11-trusted -H ~/jailhomes/skype -R user --keep-ipc-namespace --keep-shm skype
Qt applications like skype needs --keep-ipc-namespace to communicate with the X
server via the MIT-SHM extension. Pulseaudio requires --keep-shm to function.
* Run steam. Create ~/jaihomes/steam and execute
$ appjail -X --x11-trusted -H ~/jailhomes/steam -R user --system-bus --keep-ipc-namespace --keep-shm steam
Note that steam crashes without --system-bus. It works without --keep-ipc-namespace,
but you lose hardware accelerated GUI rendering and video decoding.