[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: OS-level virtualization
On Tue, Apr 06, 2021 at 06:11:52PM -0000, Christos Zoulas wrote:
> In article <20210406163302.GJ6788%mail.duskware.de@localhost>,
> Martin Husemann <martin%duskware.de@localhost> wrote:
> >On Tue, Apr 06, 2021 at 12:29:31PM -0400, Aaron B. wrote:
> >> It's just the same chroot system call under the hood. And currently,
> >> that's all there is. The kernel simply doesn't have any other way to
> >> isolate processes at the time.
> >Well, there is kauth(9), which can be extended by specific listeners
> >(but AFAIK nothing shrink-wrapped is shipped with the base OS).
> Well, kauth does authorization checking, we are talking here about providing
> separate namespaces for different processes (networking, filesystem etc.)
Yes, but there are various KAUTH_REQ_PROCESS_CANSEE* that solve parts of
that problem. Some more may be missing.
Main Index |
Thread Index |