Re: OS-level virtualization

["Aaron B." <aaron%zadzmo.org@localhost>]

On Tue, 6 Apr 2021 20:16:25 +0200
Martin Husemann <martin%duskware.de@localhost> wrote:

> On Tue, Apr 06, 2021 at 06:11:52PM -0000, Christos Zoulas wrote:
> > In article <20210406163302.GJ6788%mail.duskware.de@localhost>,
> > Martin Husemann  <martin%duskware.de@localhost> wrote:
> > >On Tue, Apr 06, 2021 at 12:29:31PM -0400, Aaron B. wrote:
> > >> It's just the same chroot system call under the hood. And currently,
> > >> that's all there is. The kernel simply doesn't have any other way to
> > >> isolate processes at the time.
> > >
> > >Well, there is kauth(9), which can be extended by specific listeners
> > >(but AFAIK nothing shrink-wrapped is shipped with the base OS).
> > 
> > Well, kauth does authorization checking, we are talking here about providing
> > separate namespaces for different processes (networking, filesystem etc.)
> 
> Yes, but there are various KAUTH_REQ_PROCESS_CANSEE* that solve parts of
> that problem. Some more may be missing.
> 

I have an idea for a 'create silo' system call, which works like chroot
- but instead of operating on the filesystem, it hooks into those exact
kauth permissions to isolate a process and it's descendants. It still
wouldn't be a full jail/container, but a decent step forward.

I would happily implement this myself, but the past few years have not
left me with the spare time to try.

-- 
Aaron B. <aaron%zadzmo.org@localhost>