On Thu, 21 May 2020 00:17:27 -0400 "Aaron B." <aa...@zadzmo.org> wrote:
> There's still networking to worry about after that, but just isolating > processes in a more useful way is a huge step forward. You can probably do that. If you use chroot to emulate containers, simply partition UID and GID assignment into blocks. Each chroot gets a unique /etc/passwd and /etc/group where IDs are offset by some value. You just need to make sure to rebuild binary databases. This way multiple processes that use the same user name (e.g. sshd, postfix, httpd, etc) and are started inside chroot, run under unique IDs and cannot send signals to one another. There is no isolation for networking. You can assign multiple aliased IP addresses to a single interface, but they are all visible and accessible inside chroot. You need to be really careful about which listening sockets you create and avoid wildcard addresses. NetBSD has kauth(9) framework which could be use for RBAC, so potentially you could restrict process access to specific IP addresses, but someone has to write kernel modules and user applications that implement RBAC.