Re: OS-level virtualization

To: Christos Zoulas <christos%astron.com@localhost>
Subject: Re: OS-level virtualization
From: Martin Husemann <martin%duskware.de@localhost>
Date: Tue, 6 Apr 2021 20:16:25 +0200

On Tue, Apr 06, 2021 at 06:11:52PM -0000, Christos Zoulas wrote:
> In article <20210406163302.GJ6788%mail.duskware.de@localhost>,
> Martin Husemann  <martin%duskware.de@localhost> wrote:
> >On Tue, Apr 06, 2021 at 12:29:31PM -0400, Aaron B. wrote:
> >> It's just the same chroot system call under the hood. And currently,
> >> that's all there is. The kernel simply doesn't have any other way to
> >> isolate processes at the time.
> >
> >Well, there is kauth(9), which can be extended by specific listeners
> >(but AFAIK nothing shrink-wrapped is shipped with the base OS).
> 
> Well, kauth does authorization checking, we are talking here about providing
> separate namespaces for different processes (networking, filesystem etc.)

Yes, but there are various KAUTH_REQ_PROCESS_CANSEE* that solve parts of
that problem. Some more may be missing.

Martin

Follow-Ups:
- Re: OS-level virtualization
  - From: Austin Kim
- Re: OS-level virtualization
  - From: Aaron B.

References:
- OS-level virtualization
  - From: Austin Kim
- Re: OS-level virtualization
  - From: Pierre-Philipp Braun
- Re: OS-level virtualization
  - From: Aaron B.
- Re: OS-level virtualization
  - From: Martin Husemann
- Re: OS-level virtualization
  - From: Christos Zoulas

Prev by Date: Re: OS-level virtualization
Next by Date: Re: OS-level virtualization
Previous by Thread: Re: OS-level virtualization
Next by Thread: Re: OS-level virtualization
Indexes:

Home | Main Index | Thread Index | Old Index