Re: OS-level virtualization

[Austin Kim <freennix%gmail.com@localhost>]

On Apr 6, 2021, at 2:16 PM, Martin Husemann <martin%duskware.de@localhost> wrote:
> 
> On Tue, Apr 06, 2021 at 06:11:52PM -0000, Christos Zoulas wrote:
>> In article <20210406163302.GJ6788%mail.duskware.de@localhost>,
>> Martin Husemann  <martin%duskware.de@localhost> wrote:
>>> On Tue, Apr 06, 2021 at 12:29:31PM -0400, Aaron B. wrote:
>>>> It's just the same chroot system call under the hood. And currently,
>>>> that's all there is. The kernel simply doesn't have any other way to
>>>> isolate processes at the time.
>>> 
>>> Well, there is kauth(9), which can be extended by specific listeners
>>> (but AFAIK nothing shrink-wrapped is shipped with the base OS).
>> 
>> Well, kauth does authorization checking, we are talking here about providing
>> separate namespaces for different processes (networking, filesystem etc.)
> 
> Yes, but there are various KAUTH_REQ_PROCESS_CANSEE* that solve parts of
> that problem. Some more may be missing.
> 
> Martin

Hmmm… Now I’m starting to wonder how much of the equivalent functionality you could achieve just through judicious use of chroot(2) and kauth(9) alone 🤔

“We are responsible for actions performed in response to circumstances for which we are not responsible.”  —Allan Massie, _A Question of Loyalties_, 1989