I'm actually less interested in it as a security isolation boundary, and more interested in it providing more assurances about the behaviors we expect from the build, and provide more safety by default:
* Guarantees that processes don't continue running past the end of the build (or the part of the build). In practice, this should just be a safety precaution, and if you're starting the build via the docker command line every time, it should provide similar guarantees (if you're attaching to a long-running docker instance, not so much).
* Allows us to turn off the network for part of the build. In most cases right now this can be emulated by just turning off the network for that docker container, but with the remote execution work that's ongoing, we allow a daemon access to the network, but turn it off for the rest of the build (which tunnels build requests to the daemon as necessary).
* Recently on master, turns off write access to the rest of the system (except $srcdir, $outdir, $distdir, $home? something like that). Depending on your docker setup, this safety may not be too important (just mounting the necessary directories, and throwing away any changes made after the build exists, for example).
So while we can't require the use of nsjail at this point, it may mean that your build succeeds while the same build on another system using nsjail fails. You may be able to configure docker similarly, but changing the configuration during different parts of the build likely wouldn't be possible.
I'd like to do things like turn the source directory read only, but I've been hesitant to do so because it'll cause a larger behavior difference between the nsjail users and the rest. Also on the list is hiding things like /usr/include from the build, as we never want to use it. Potentially changing what parts of the output tree are read/write vs read-only vs invisible during different parts of the build is another idea I've had.
- Dan