Install / Build

jai is Linux-only and runs on kernel version 6.13 or later.

Package install

TODO

Package installation instructions (Arch AUR, Debian/Ubuntu .deb, Fedora COPR, Nix, etc.) are not yet available. For now, build from source.

Build from source

Dependencies

jai requires

• A C++23 compiler (GCC 13+ or Clang 17+)
• libmount (from util-linux)
• libacl
• pkg-config
• Standard autotools (autoconf, automake) for the build system
• pandoc (only when building from git, to format the man page)

Most modern linux systems with a development environment installed should already satisfy these dependencies except pandoc.

Build

If building from a release, unpack the software with tar, configure and build it:

tar xzf jai-x.y.tar.gz
cd jai-x.y
./configure
make

If you want to build the latest version from git, run:

git clone https://github.com/stanford-scs/jai.git
cd jai
./autogen.sh
./configure
make

jai requires a dedicated untrusted user for strict sandboxes, called jai by default. The jai user must be different from nobody (which is the "overflow" user in id-mapped mounts). If you don't want to call the user jai, you can modify the configure command above to specify an alternate name, for instance _jai:

./configure --with-untrusted-user=_jai

Install

sudo make install

jai must run as root (it uses unshare and various privileged file system and mount-related syscalls), so will be installed setuid root. If you do not want to install it setuid root, you can install it manually and run it with sudo.

make install also creates the untrusted user account (jai by default), which you can do manually by invoking systemd-sysusers after placing jai.conf in $PREFIX/lib/sysusers.d/. Note that if you don't create the untrusted user with systemd-sysusers and want to do it manually, you must make the GECOS field exactly JAI sandbox untrusted user and make the home directory /. Otherwise, jai will not recognize the user out of fear that you have a real user named jai on your system.

First-run setup

After installing, run:

jai --init

This creates default configuration files in $HOME/.jai/, including the .defaults file that ships sensible blacklists for sensitive dotfiles and environment variables.

JAI_CONFIG_DIR

If your home directory is on NFS, you may want to relocate jai's configuration and storage:

export JAI_CONFIG_DIR=/local/disk/.jai
jai --init

This puts all configuration files, private home directories, and overlay storage on a local filesystem where extended attributes and overlayfs work correctly. If you wish to keep configuration files in your home directory, put a line storage /local/disk/jai-storage in $HOME/.jai/.defaults to move just the private home directory storage to local disk.