On Mon, 8 Dec 2014, Tinker wrote:
Looking at Capsicum, I think it has an even lower safety profile than NaCl -
my usecase might just run any beastly binary code, so the sandbox wall needs
to be the toughest you got, so using BHyVe here makes sense.
You could use jails..
- The kernel is booted in zero seconds;-),
- you could use nullfs mounts to create a read-only filesystem tree
- have one location read-write for your result
- use a devfs mount for needed device nodes (see rule set 4)
- and than run the command in a simple jail (directly from command line).
- Afterwards you delete the mounts.
Well, in fact you could prepare many many read-only jail file system trees
and reuse them for the jail command again and again (minus the read-writre
area for the output)
It has much less overhead than starting a VM every time, I guess.
Regards
Peter
_______________________________________________
freebsd-virtualization@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization
To unsubscribe, send any mail to
"freebsd-virtualization-unsubscr...@freebsd.org"
