NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Mult and process isolation (kauth perhaps?)


> I'm really interested in resurrecting this project, or perhaps something
> like it.  I've been wanting to dig deeper into some of the internals of
> NetBSD for a while now anyway, and a project such as this might just give me
> the excuse I've been looking for.  :)
that was what I was wishing for quite a time now and planned to do it myself,
but I don't have the time.

> However -- in my somewhat limited knowledge of NetBSD internals, I realised
> that rather than have something separate such as Mult, it might just as
> easily be worthwhile hooking this into the kauth subsystem directly?  What
> would others think?  Ultimately, I have the following questions (not in any
> order per se):
> 1.  Is this feature something NetBSD would appreciate? (Hello, NFI.  ;))
> 2.  If this email is not on the right list, kindly forward it to the
>     relevant one, and let me know which list I ought to be subscribed to.
>     :)
> 3.  If someone could point me to any relevant people for contact on this,
>     and/or relevant documentation, that too would be appreciated.
 1. I think, the project appreciates every work that is done, especially if
 it is that useful.

 2. Perhaps the tech-*-lists would be good as you have to jail a system in
 nearly every subsystem. For generic questions this list is good, for more
 technical you could have a look at tech-kern.

 3. This is rather difficult... There was a project presented by Christoph
 Badura in 2008 called 'gaols' on a *BSDCon (Asia?). He did exactly what you
 wanted to do, implement jails in kauth. You can get the link for that here:
 But he ran into some problems and limits of kauth where kauth does not
 provide what you need.

> I am just not sure where best to start, and hoping I can find someone with
> enough interest in this feature who knows enough about the NetBSD internals
> to shove me in the right direction -- if that's via an individual rather
> than a mailing list, kindly forward this email on to them, and let me know,
> so as not to waste anyone's time.
I don't know if there is a single person who has the time to give you single
lessons... But a project like this would have a big scope anyway, so reading
books should be better in this case.
Imho, you need a very deep knowledge of the system to implement this and
consider all the security risks which are not covered by kauth.

Anyway, for the beginning just implementing a jail in the kauth-scope, so
using all the hooks you can, would imho be still nice.
The best way to start reading are imho the kauth- and sysctl-manpages.

> Thanks all for you time, and hopefully I've initially sent this to the right
> list first of all.
As this is a more generic question, I think, this list should be right.

Regards, Julian

Attachment: signature.asc
Description: PGP signature

Home | Main Index | Thread Index | Old Index