For me, zones (jails, containers) are only a very weak security feature. The mitigations, that the security extensions in Solaris 11.3 provide, could maybe, in some cases, be emulated by zones. Solaris 11.4 adds more extensions, that go beyond what process separation (or virtualization) alone could achieve (e.g. attacks using speculative execution).
My original question was not "what is the best security method". I think Oracle's security extensions make sense and are not something to use "instead" of other methods, but "in addition". To broaden my question: I would expect other OSes to come up with similar methods. Should pkgsrc consider a mechanism to add such features (i.e. as default in mk/platform/*.mk), that can be switched off globally or per packet, if desired. And if the answer to this question is "yes", what has to be done to the toolchain to support this? Perl's handling of linker flags is probably one problem. I also tried compiling security/openssl, and it failed in a different way. Maybe the few packages that did compile so far all used libtool, and all others tend to have problems, I'm not sure.
Am 27.05.2020 um 09:31 schrieb Sad Clouds:
Not quite sure what those linking errors actually mean, but wouldn't it be easier not to use those flags? Solaris has good support for Zones, so even in the unlikely event that some binary gets compromised, the damage could be minimal.
-- Jörn Clausen Plattformen & Serverdienste BITS - Bielefelder IT-Servicezentrum https://www.uni-bielefeld.de/bits