Cells for NetBSD: kernel-enforced, jail-like isolation(netbsd-cells.petermann-digital.de)
45 pointsby akagusu13 hours ago7 comments
  • eladx12 hours ago
    I’ve seen a few posts about security extensions for NetBSD over the past several months and most of them build on top of the kauth(9) and secmodel(9) frameworks. I was one of the people who worked on these about twenty years ago (!) and I just wanted to say it’s heartwarming to see people still find our work useful and valuable today. Thank you. :)
    • bch10 hours ago
      I followed your and @blymn's work then, and filed a bug report against veriexec. blymn gently improved the characterization of the problem and fixed it. That led me to start studying lex/yacc, instead of just treating them like magic.

      Thanks for your work.

  • phkamp11 hours ago
    And before anybody speculates too much about Matthias use of "jail-like":

    I think this can make a lot of sense, because there are many situations, in particular in embedded systems, where you can and should confine at a much smaller scale than jails are really convenient for.

    It will also be interesting to see if "Cells" can make inroads in the territory the original ACL abandoned, because writing the rules was so complex that it amount to parallel meta-anti-software development.

    Hat tip to Matthias from here.

  • akagusu13 hours ago
    Cells for NetBSD is an early-stage but steadily maturing system for lightweight, kernel-enforced isolation on NetBSD.

    It closes the operational gap between simple chroot environments and full virtualization platforms such as Xen.

    • GeorgeTirebiter10 hours ago
      Excuse my ignorance, but does this functionally mean we can treat this as a 'microkernel' a la minix? I always liked the 'tiny protected subsystem' in Ring 0, then a Ring 1 for Drivers (which are restartable, and dynamically loadable), then one or two rings for User processes (maybe Ring 2 for 'ls' etc and Ring 3 for typical user processes).

      I am also curious: What hardware enhancements would benefit 'lightweight, kernel-enforced isolation' ? Do we need memory tags? HW Capability Lists? ?

      ( I believe we've concentrated far too much in making "damn fast pdp-11s" with our hardware advances, and far less on building Reliable Systems -- even if a few percent of peak possible performance is consumed by extra HW. )

  • yjftsjthsd-h10 hours ago
    This describes it as more lightweight than other options, but the "Declarative Apply Plan" feature actually seems more feature rich than FreeBSD jails. Very cool feature; actually something I would like on the host.
  • Pay0811 hours ago
    I'm far from familiar with Linux, is this very different from cgroups?
    • yjftsjthsd-h10 hours ago
      It's kind of in the middle? It's doing more than just cgroups, but less than eg. docker.
  • stevefan19999 hours ago
    Cell as in jail cell, huh
  • ggm11 hours ago
    I think the write up and rationale and FAQ are near perfect. It's a KISS pure NetBSD model, it's deliberately reductionist and it discusses reasoning and why it differs or is an analogue of other systems.

    I probably won't be using it because my core investment on FreeBSD does what I need but I think it's interesting.

    • bb011001005 hours ago
      Agreed on both counts - excellent write-up.

      I use FreeBSD jails and get a lot of value out of separate network stacks for each (vnet jails).

      Would the NetBSD approach here be to lean more heavily on your lan infra to register hostnames with static addresses (pointing at NetBSD host) and then run a host proxy to forward & port-map to the relevant cell? Or is this the wrong kind of use-case for cells?

      • ggm4 hours ago
        I don't personally like proxies, intermediaries, but that said they've been entirely normalised by kubernetes/traefik/haproxy type setups. I do find managing the bridge pseudo-devices, and the various bindings, and DHCP/SLAAC a bit painful because I actually don't understand it well.

        I use bastille, and it seems to "just work" and I looked at Sylve and it had huge potential. When I ask for some ELI5 on bridge/net stuff, I don't get traction so my confusion remains.

        I think a lot of people enable NAT methods which aren't that far removed from a host proxy or port-map. I don't like NAT (see comment above about k8s)