Subject: jail() on NetBSD?
To: None <>
From: John Goerzen <>
List: netbsd-users
Date: 01/22/2004 15:49:11

I am looking at NetBSD for some of my systems, but have a few questions
regarding its lack of jail() or some sort of equivolent mechanism.

I am looking for basically three things more powerful than chroot:

1. Process isolation.  An errant (or malicious) process in one
   "secure area" (for lack of a better word) should not be able to send
   signals to, or even see, processes in the main system or another
   secure area.

2. Socket isolation.  A process should only be able to bind to a
   specific set of IPv4 or IPv6 addresses, even if more are configured
   on the host.

3. Decreased capabilities.  For instance, I wouldn't want any process
   in the secure area to be able to run mknod(), even if it is running
   as root.

On Linux, I have been using the vserver ( project
to successfully do the above.  On FreeBSD, I would likely use jail().
NetBSD doesn't seem to have these capabilities; or perhaps I am just
missing them.  I gather that, through the systrace system, I could
probably do #2 and possibly #3, but not #1.  Is that correct?

John Goerzen