From: Jagger <robert.swiecki@code.google.com>
Date: Sat, 16 May 2015 03:18:23 +0000 (+0200)
Subject: README.md
X-Git-Tag: 1.0~19
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=a72d3dd2000571a703a3a5399003acb5ed00d656;p=platform%2Fupstream%2Fnsjail.git

README.md
---

diff --git a/README.md b/README.md
index 4f04914..dad039f 100644
--- a/README.md
+++ b/README.md
@@ -1,13 +1,18 @@
 ### WHAT IS IT?
-NsJail is a Linux process isolation tool, making use of the the namespacing, resource control, and seccomp-bpf syscall filter subsystems of the Linux kernel
+NsJail is a process isolation tool for Linux. It makes use of the the namespacing, resource control, and seccomp-bpf syscall filter subsystems of the Linux kernel.
+
+It can be used, among others to:
+  * Secure networking service (e.g. web, time, DNS), by isolating them from the rest of the OS
+  * Hosting computer security challenges (so-called CTFs)
+  * Containing invasive syscall-level OS fuzzers
 
 This is NOT an official Google product.
 
 ### WHAT KIND OF ISOLATION DOES IT PROVIDE?
-1. Linux namespaces: UTS, MOUNT, PID, IPC, NET, USER
+1. Linux namespaces: UTS (hostname), MOUNT (chroot), PID (separate PID tree), IPC, NET (separate networking context), USER
 2. FS constraints: chroot(), pivot_root(), RO-remounting
-3. Resource limits (Wall-time/CPU time limits, VM space limits, etc.)
-4. Seccomp-bpf syscall filters
+3. Resource limits (wall-time/CPU time limits, VM/mem address space limits, etc.)
+4. Programmable seccomp-bpf syscall filters
 
 ### WHICH USE-CASES ARE COVERED?
 #### Isolation of network servers (inetd-style)
@@ -30,7 +35,7 @@ This is NOT an official Google product.
  / $ ps wuax
  PID   USER     COMMAND
  1 99999    /bin/sh -i
- 2 99999    {busybox} ps wuax
+ 3 99999    {busybox} ps wuax
  / $ 
 
 ```
@@ -49,7 +54,7 @@ This is NOT an official Google product.
  / $ ps wuax
  PID   USER     COMMAND
  1 99999    /bin/sh -i
- 2 99999    {busybox} ps wuax
+ 4 99999    {busybox} ps wuax
  / $exit
  $
 ```