Show HN: Z-Jail – A 130 KB Linux sandbox-C99 with 7 defense layers and zero deps
Key takeaways
- Multi-layer sandbox for native code execution on Linux.
- Existing sandboxing solutions make trade-offs:
- Z-Jail fills the niche between bwrap (minimal, no seccomp-by-default) and nsjail (featureful, heavy deps).
Multi-layer sandbox for native code execution on Linux. Seven independent defence layers — no external dependencies, ~130 Ki B PIE binary.
┌──────────────────────────────────────────────────────┐ │ Z-Jail │ ├──────────────────────────────────────────────────────┤ │ Truthimatics Public Version (evidence-based verdict engine) │ │ Namespaces (mount, pid, net, ipc, uts) │ │ pivot_root (chroot on steroids) │ │ Capabilities (drop all, lock securebits) │ │ NO_NEW_PRIVS (no privilege escalation) │ │ seccomp-BPF (whitelist: 15 syscalls only) │ │ Audit (JSON logging + BLAKE2b hashing) │ └──────────────────────────────────────────────────────┘ Table of Contents Quick Start Why Z-Jail Architecture Layers Usage Build & Install Testing Performance Threat Model Documentation Roadmap License Quick Start git clone https://github.com/Division-36/Z-Jail.git cd Z-Jail make sudo ./z_jail --root=/path/to/rootfs --seccomp-enforce -- /bin/ls The --root directory should contain a minimal filesystem with the target binary and its dependencies (for static binaries, just the binary is enough).
Existing sandboxing solutions make trade-offs: