On Tue, 6 Apr 2021 20:16:25 +0200 Martin Husemann <mar...@duskware.de> wrote:
> On Tue, Apr 06, 2021 at 06:11:52PM -0000, Christos Zoulas wrote: > > In article <20210406163302.gj6...@mail.duskware.de>, > > Martin Husemann <mar...@duskware.de> wrote: > > >On Tue, Apr 06, 2021 at 12:29:31PM -0400, Aaron B. wrote: > > >> It's just the same chroot system call under the hood. And currently, > > >> that's all there is. The kernel simply doesn't have any other way to > > >> isolate processes at the time. > > > > > >Well, there is kauth(9), which can be extended by specific listeners > > >(but AFAIK nothing shrink-wrapped is shipped with the base OS). > > > > Well, kauth does authorization checking, we are talking here about providing > > separate namespaces for different processes (networking, filesystem etc.) > > Yes, but there are various KAUTH_REQ_PROCESS_CANSEE* that solve parts of > that problem. Some more may be missing. > I have an idea for a 'create silo' system call, which works like chroot - but instead of operating on the filesystem, it hooks into those exact kauth permissions to isolate a process and it's descendants. It still wouldn't be a full jail/container, but a decent step forward. I would happily implement this myself, but the past few years have not left me with the spare time to try. -- Aaron B. <aa...@zadzmo.org>
