jSYS - A complete chroot jails system for GNU/Linux
jSYS, or jSYSTEM, is a software to create virtual file system layouts and to lock applications in them.
It's important to note that jSYS isn't a virtualization software like XEN, KVM or VMware, because jSYS is made for another purpose. jSYS is made to better isolate applications working in the system. Even if jSYS doesn't replace virtualization applications, it's indeed able to work in virtualized environments (and in non-virtualized environments) to give a better protection by isolating the single running applications. Virtualization tools are made to isolate the host operating system from the virtualized operating systems (the guests). jSYS is made to give a high-level virtual filesystem to a running application.
jSYS is a user-level application working at ring-3 and it doesn't require you to compile any kernel module or to patch in any way the kernel you're currently using. To run jSYS is only required the administrative permission (the access to the root account) to install the software. Once installed the software will work using FUSE to create one or more userspace filesystems. Any number of applications can be started from the inside of a virtual filesystem, and these applications will see and access only the files they've been allowed to access. All running applications are locked in the virtual filesystem in a similar way to the “chroot” tool, but in a much more safe and accurate way. Please, refer to the technical documentation for more technical information.
jSYS may be configured to allow remote users to access the system in the virtual filesystem, for example through SSH, and then to log-in in a shell. When a user logins (remotely or locally) or when a software is started via jSYS all applications will be able only: to see, to execute and to list the files and the directories that have been made visible.
jSYS is able to create virtual directories and files. Virtual directories trees can be configured to load the subdirectories from different folders and/or from different filesystems. The software is as well able to block the access in writing mode to specified files and folders, and to allow the software to access to virtual directories with different capabilities. It's possible to deny a application to list the folders and files in a directory, or to delete, read , write, overwrite, the contained files.
The software is able to create some permissions-based filters. This is particularly useful to hide or deny the access to directories and files owned by other users registered in a system: for example, it's possible to list in the virtual folder “/proc” only the PIDs of applications that belong to the current user listing the files.
A user may want to install jSYS in his system:
- To create sandboxes.
- To better isolate running applications and services.
- To emulate different file system layouts.
- To have chroots loading a selected group of libraries and executables from the main filesystem without needing to update all these files manually or with scripts when the operating system has been updated.
jSYS is able to change its configuration, including the redirects, the jails, the lists of allowed and blocked files and folders, and the attributes based filters on fly. This allows you to change the configuration of any instance of jSYS without restarting the running applications.