Skip to content
Tech News
← Back to articles

Show HN: Z-Jail – A 130 KB Linux sandbox-C99 with 7 defense layers and zero deps

read original more articles
Why This Matters

Z-Jail is a lightweight, multi-layer Linux sandboxing tool that offers robust security features with minimal size (~130 KB) and no external dependencies. Its design fills a niche between minimal sandbox solutions and more complex container runtimes, making it ideal for CI pipelines, CTF challenges, and lightweight code evaluation, while maintaining a strong defense-in-depth approach.

Key Takeaways

Z-Jail Multi-layer sandbox for native code execution on Linux.

Seven independent defence layers — no external dependencies, ~130 KiB PIE binary.

┌──────────────────────────────────────────────────────┐ │ Z-Jail │ ├──────────────────────────────────────────────────────┤ │ Truthimatics Public Version (evidence-based verdict engine) │ │ Namespaces (mount, pid, net, ipc, uts) │ │ pivot_root (chroot on steroids) │ │ Capabilities (drop all, lock securebits) │ │ NO_NEW_PRIVS (no privilege escalation) │ │ seccomp-BPF (whitelist: 15 syscalls only) │ │ Audit (JSON logging + BLAKE2b hashing) │ └──────────────────────────────────────────────────────┘

Table of Contents

Quick Start

git clone https://github.com/Division-36/Z-Jail.git cd Z-Jail make sudo ./z_jail --root=/path/to/rootfs --seccomp-enforce -- /bin/ls

The --root directory should contain a minimal filesystem with the target binary and its dependencies (for static binaries, just the binary is enough).

Why Z-Jail

Existing sandboxing solutions make trade-offs:

Z-Jail Firecracker gVisor bwrap nsjail External deps zero libc, seccomp Go runtime libc libc, protobuf Binary size ~130 KiB 20+ MiB 40+ MiB ~70 KiB ~1 MiB VM isolation no yes (microVM) no (sandbox) no no seccomp whitelist yes no yes optional yes Content hashing yes no no no no Audit JSON yes no yes no partial Build complexity one make complex complex trivial moderate

... continue reading