Subject: jail() on NetBSD?
To: None <firstname.lastname@example.org>
From: John Goerzen <email@example.com>
Date: 01/22/2004 15:49:11
I am looking at NetBSD for some of my systems, but have a few questions
regarding its lack of jail() or some sort of equivolent mechanism.
I am looking for basically three things more powerful than chroot:
1. Process isolation. An errant (or malicious) process in one
"secure area" (for lack of a better word) should not be able to send
signals to, or even see, processes in the main system or another
2. Socket isolation. A process should only be able to bind to a
specific set of IPv4 or IPv6 addresses, even if more are configured
on the host.
3. Decreased capabilities. For instance, I wouldn't want any process
in the secure area to be able to run mknod(), even if it is running
On Linux, I have been using the vserver (www.linux-vserver.org) project
to successfully do the above. On FreeBSD, I would likely use jail().
NetBSD doesn't seem to have these capabilities; or perhaps I am just
missing them. I gather that, through the systrace system, I could
probably do #2 and possibly #3, but not #1. Is that correct?