Scoopfeeds — Intelligent news, curated.
computer-science

Show HN: Z-Jail – A 130 KB Linux sandbox-C99 with 7 defense layers and zero deps

Hacker News · Jul 1, 2026, 7:18 PM

Key takeaways

  • Multi-layer sandbox for native code execution on Linux.
  • Existing sandboxing solutions make trade-offs:
  • Z-Jail fills the niche between bwrap (minimal, no seccomp-by-default) and nsjail (featureful, heavy deps).

Multi-layer sandbox for native code execution on Linux. Seven independent defence layers — no external dependencies, ~130 Ki B PIE binary.

┌──────────────────────────────────────────────────────┐ │ Z-Jail │ ├──────────────────────────────────────────────────────┤ │ Truthimatics Public Version (evidence-based verdict engine) │ │ Namespaces (mount, pid, net, ipc, uts) │ │ pivot_root (chroot on steroids) │ │ Capabilities (drop all, lock securebits) │ │ NO_NEW_PRIVS (no privilege escalation) │ │ seccomp-BPF (whitelist: 15 syscalls only) │ │ Audit (JSON logging + BLAKE2b hashing) │ └──────────────────────────────────────────────────────┘ Table of Contents Quick Start Why Z-Jail Architecture Layers Usage Build & Install Testing Performance Threat Model Documentation Roadmap License Quick Start git clone https://github.com/Division-36/Z-Jail.git cd Z-Jail make sudo ./z_jail --root=/path/to/rootfs --seccomp-enforce -- /bin/ls The --root directory should contain a minimal filesystem with the target binary and its dependencies (for static binaries, just the binary is enough).

Existing sandboxing solutions make trade-offs:

Article preview — originally published by Hacker News. Full story at the source.
Read full story on Hacker News → More top stories
Aggregated and edited by the Scoop newsroom. We surface news from Hacker News alongside other reporting so you can compare coverage in one place. Editorial policy · Corrections · About Scoop