On Thu, 21 May 2020 00:17:27 -0400
"Aaron B." <aa...@zadzmo.org> wrote:

> There's still networking to worry about after that, but just isolating
> processes in a more useful way is a huge step forward.

You can probably do that. If you use chroot to emulate containers,
simply partition UID and GID assignment into blocks. Each chroot gets a
unique /etc/passwd and /etc/group where IDs are offset by some value.
You just need to make sure to rebuild binary databases. This way
multiple processes that use the same user name (e.g. sshd, postfix,
httpd, etc) and are started inside chroot, run under unique IDs and
cannot send signals to one another.

There is no isolation for networking. You can assign multiple aliased
IP addresses to a single interface, but they are all visible and
accessible inside chroot. You need to be really careful about which
listening sockets you create and avoid wildcard addresses. NetBSD has
kauth(9) framework which could be use for RBAC, so potentially you could
restrict process access to specific IP addresses, but someone has to
write kernel modules and user applications that implement RBAC.

Reply via email to