I’ve seen a few posts about security extensions for NetBSD over the past several months and most of them build on top of the kauth(9) and secmodel(9) frameworks. I was one of the people who worked on these about twenty years ago (!) and I just wanted to say it’s heartwarming to see people still find our work useful and valuable today. Thank you. :)
I followed your and @blymn's work then, and filed a bug report against veriexec. blymn gently improved the characterization of the problem and fixed it. That led me to start studying lex/yacc, instead of just treating them like magic.
This describes it as more lightweight than other options, but the "Declarative Apply Plan" feature actually seems more feature rich than FreeBSD jails. Very cool feature; actually something I would like on the host.
Excuse my ignorance, but does this functionally mean we can treat this as a 'microkernel' a la minix? I always liked the 'tiny protected subsystem' in Ring 0, then a Ring 1 for Drivers (which are restartable, and dynamically loadable), then one or two rings for User processes (maybe Ring 2 for 'ls' etc and Ring 3 for typical user processes).
I am also curious: What hardware enhancements would benefit 'lightweight, kernel-enforced isolation' ? Do we need memory tags? HW Capability Lists? ?
( I believe we've concentrated far too much in making "damn fast pdp-11s" with our hardware advances, and far less on building Reliable Systems -- even if a few percent of peak possible performance is consumed by extra HW. )
And before anybody speculates too much about Matthias use of "jail-like":
I think this can make a lot of sense, because there are many situations, in particular in embedded systems, where you can and should confine at a much smaller scale than jails are really convenient for.
It will also be interesting to see if "Cells" can make inroads in the territory the original ACL abandoned, because writing the rules was so complex that it amount to parallel meta-anti-software development.
I think the write up and rationale and FAQ are near perfect. It's a KISS pure NetBSD model, it's deliberately reductionist and it discusses reasoning and why it differs or is an analogue of other systems.
I probably won't be using it because my core investment on FreeBSD does what I need but I think it's interesting.
12 comments
Thanks for your work.
It closes the operational gap between simple chroot environments and full virtualization platforms such as Xen.
I am also curious: What hardware enhancements would benefit 'lightweight, kernel-enforced isolation' ? Do we need memory tags? HW Capability Lists? ?
( I believe we've concentrated far too much in making "damn fast pdp-11s" with our hardware advances, and far less on building Reliable Systems -- even if a few percent of peak possible performance is consumed by extra HW. )
I think this can make a lot of sense, because there are many situations, in particular in embedded systems, where you can and should confine at a much smaller scale than jails are really convenient for.
It will also be interesting to see if "Cells" can make inroads in the territory the original ACL abandoned, because writing the rules was so complex that it amount to parallel meta-anti-software development.
Hat tip to Matthias from here.
I probably won't be using it because my core investment on FreeBSD does what I need but I think it's interesting.