Folks, I would add that sysjail (not the FreeBSD implementation but the implementation <http://sysjail.bsd.lv/> based on systrace(4)) has known holes that make it unsuitable as a security tool; please don't use it. I had the privilege of speaking with Robert Watson directly at a conference a few years ago, and he explained to me exactly how systrace is vulnerable to practical attacks based on race conditions. His paper on this is at:
<http://www.lightbluetouchpaper.org/2007/08/06/usenix-woot07-exploiting-concu rrency-vulnerabilities-in-system-call-wrappers-and-the-evil-genius/> --Paul On Jul 21, 2011, at 9:05 AM, Kristaps Dzonsons wrote: >> I think the question is not new but I only found an old talk for version >> 3.x, so I want to ask again: >> >> Is there anything comparable to FreeBSD jails (now)? >> >> I found sysjail but I am not sure, if it is working under 4.9 (maybe I >> will try it in the next few days): >> http://richizo.wordpress.com/2008/12/31/jailing-openbsd-in-5-steps/ > > I haven't touched sysjail since 4.3 and nobody's sent patches to update it since then (though some hot air's been blown around). The linked tutorial is also wrong: it just copies around some ifdefs instead of actually making sure nothing's changed between versions. Bad. Please contact me off-list if you're SERIOUS about maintaining sysjail between versions (no patches = don't bother). Of course, this won't change that sysjail is breakable (and, note significantly, NOT part of OpenBSD proper). > > Kristaps. [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
