NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: OS-level virtualization

On Tue 06 Apr 2021 at 20:01:15 -0400, Austin Kim wrote:
> On Apr 6, 2021, at 2:16 PM, Martin Husemann <> wrote:
> > Yes, but there are various KAUTH_REQ_PROCESS_CANSEE* that solve parts of
> > that problem. Some more may be missing.
> > 
> > Martin
> Hmmm? Now I?m starting to wonder how much of the equivalent
> functionality you could achieve just through judicious use of
> chroot(2) and kauth(9) alone ?

I had the same idea in the past, but haven't done anything concrete with

For faking separate PID 'namespaces', you could get away with just
hiding processes that you're now allowed to see. PIDs are random anyway
so you won't really notice.

For other things, like UIDs, GIDs, etc it is a bit trickier because you
could get multiple 'namespaces' using the same value and you can't even
prevent it without causing weird failures. For those, you'd need some
mapping layer somewhere to translate between global values and
inside-the-namespace values. There is something like that for stacked
file systems (mount_umap)  but that won't be enough.

Maybe we can invent something cleverer than Linux. Syscall interception
layers as a file system perhaps?

___ Q: "What's an anagram of Banach-Tarski?"  -- Olaf "Rhialto" Seibert
\X/ A: "Banach-Tarski Banach-Tarski."         -- rhialto at falu dot nl

Attachment: signature.asc
Description: PGP signature

Home | Main Index | Thread Index | Old Index