Z-Jail Multi-layer sandbox for native code execution on Linux.
Seven independent defence layers — no external dependencies, ~130 KiB PIE binary.
┌──────────────────────────────────────────────────────┐ │ Z-Jail │ ├──────────────────────────────────────────────────────┤ │ Truthimatics Public Version (evidence-based verdict engine) │ │ Namespaces (mount, pid, net, ipc, uts) │ │ pivot_root (chroot on steroids) │ │ Capabilities (drop all, lock securebits) │ │ NO_NEW_PRIVS (no privilege escalation) │ │ seccomp-BPF (whitelist: 15 syscalls only) │ │ Audit (JSON logging + BLAKE2b hashing) │ └──────────────────────────────────────────────────────┘
Table of Contents
Quick Start
git clone https://github.com/Division-36/Z-Jail.git cd Z-Jail make sudo ./z_jail --root=/path/to/rootfs --seccomp-enforce -- /bin/ls
The --root directory should contain a minimal filesystem with the target binary and its dependencies (for static binaries, just the binary is enough).
Why Z-Jail
Existing sandboxing solutions make trade-offs:
Z-Jail Firecracker gVisor bwrap nsjail External deps zero libc, seccomp Go runtime libc libc, protobuf Binary size ~130 KiB 20+ MiB 40+ MiB ~70 KiB ~1 MiB VM isolation no yes (microVM) no (sandbox) no no seccomp whitelist yes no yes optional yes Content hashing yes no no no no Audit JSON yes no yes no partial Build complexity one make complex complex trivial moderate
... continue reading