On Tue 06 Apr 2021 at 20:01:15 -0400, Austin Kim wrote: > On Apr 6, 2021, at 2:16 PM, Martin Husemann <mar...@duskware.de> wrote: > > Yes, but there are various KAUTH_REQ_PROCESS_CANSEE* that solve parts of > > that problem. Some more may be missing. > > > > Martin > > Hmmm? Now I?m starting to wonder how much of the equivalent > functionality you could achieve just through judicious use of > chroot(2) and kauth(9) alone ?
I had the same idea in the past, but haven't done anything concrete with it. For faking separate PID 'namespaces', you could get away with just hiding processes that you're now allowed to see. PIDs are random anyway so you won't really notice. For other things, like UIDs, GIDs, etc it is a bit trickier because you could get multiple 'namespaces' using the same value and you can't even prevent it without causing weird failures. For those, you'd need some mapping layer somewhere to translate between global values and inside-the-namespace values. There is something like that for stacked file systems (mount_umap) but that won't be enough. Maybe we can invent something cleverer than Linux. Syscall interception layers as a file system perhaps? -Olaf. -- ___ Q: "What's an anagram of Banach-Tarski?" -- Olaf "Rhialto" Seibert \X/ A: "Banach-Tarski Banach-Tarski." -- rhialto at falu dot nl
signature.asc
Description: PGP signature
