tech-security: Re: replace chroot() with a chroot overlay file system?

Subject: Re: replace chroot() with a chroot overlay file system?
To: None <tech-security@NetBSD.org>
From: Matthias Scheler <tron@zhadum.de>
List: tech-security
Date: 11/07/2005 08:09:47

In article <20051106133804.GB16675@drowsy.duskware.de>,
	Martin Husemann <martin@duskware.de> writes:
> On Sun, Nov 06, 2005 at 12:38:08PM +0100, haad wrote:
>> My question is can we implement something like FreeBSD jail & Solaris10
>> zone??
> Could someone please give a summary of Solaris zones?

Zones are virtual hosts sharing a single kernel. The global zone (the
real system) has full access rights to everything, all the other so
called local zones are restricted. They are e.g. trapped in a sub
directory of the filesystem space, cannot configure network interfaces
and don't see other zones. Each local zones gets one or more
IP addresses configured in the global zone for network connectivity.
Although all zones share one network stack they are limitted to using
their own IP addresses and have seperate TCP and UDP port spaces.

	Kind regards

-- 
Matthias Scheler                                  http://scheler.de/~matthias/