Date: Thu, 07 Jan 2021 12:14:35 -0800 From: Chris <bsd-lists@bsdforge.com> To: freebsd-hackers <freebsd-hackers@freebsd.org> Cc: =?UTF-8?Q?Mina_Gali=C4=87?= <me+freebsd@igalic.co> Subject: Re: A Box API without the Sand Message-ID: <a2e5664621d15cd1833cbe74e49f5868@bsdforge.com> In-Reply-To: <RMv80q1tdgA5HHEO6EEe16A2OQ8aKLl7Ezb97L_prKu7fkTAQct01S2CVxeUyTqT0hrVnFzv8k7_ErcFLo1PevkkFCr-zMeKX4w5ZbS925o=@igalic.co> References: <RMv80q1tdgA5HHEO6EEe16A2OQ8aKLl7Ezb97L_prKu7fkTAQct01S2CVxeUyTqT0hrVnFzv8k7_ErcFLo1PevkkFCr-zMeKX4w5ZbS925o=@igalic.co>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2021-01-07 11:42, Mina Galić wrote: > Hello FreeBSD developers > > I’m trying to find an (existing) API on FreeBSD which allows me to box in a > process and all of its descendants. That box should be easy to identify, and > allow > process management, accounting and resource management. > > Unfortunately all boxes Iʼm finding come pre-filled with Sand that’s > impossible to > get rid of, or lack some of the other requirements. > > An analogue for such an API can be found in Solaris Contracts and Linux > Cgroups. > > Cgroups are extensively used in many init implementations on Linux to > contain, > identify and control services. > Personally, i used contracts on Solaris for that very purpose, in an > in-house > deployment software, long before systemd was hip. > > I would like to do something like that in init/rc on FreeBSD. But i can’t > seem to > find an API that fits the bill. > > The normal POSIX process management facilities, like process groups and > process > sessions are too easy to escape. But given their primary use is job control, > that’s a feature, not a bug. Either way, they can be ruled out. > > The closest we have are jail(2) and Capsicum(4), as well as the functions > supplementing the latter, such as pdfork(2) & co. > > Jails are really good at containing and identifying process groups, and for > managing their resources. > However, jailing every single daemon on a system, while desirable by some, > would > make many daemons useless. sshd and monitoring software are my prime > examples, but > there are probably many more. > > Capsicum, again, seems more concerned with the Sand than the box: i cannot > seem to > find anything that would help identify a process group. Except for > pdfork(2)'s > procdesc(4). > > Fortuitously, these can be used independently of Capsicum, so that means we > have > an identity and control, but i can’t find any information on whether all > descentants will remain within the same procdesc. > > That’s as far as my research has gotten me, so before i dig myself any > deeper, i’d > like to ask for your help. > > And, most importantly, if no such API exists yet, where to start in adding > it, or > modifying an existing API to suit these requirements? If I understand you correctly. I'm unable to understand where jail(8) doesn't satisfy your needs. Nothing prevents you from running multiple daemons within a singe jail. You can easily control access restrictions in and out of the jail(s) via pf(4). Apologies if I didn't correctly understand your needs/intentions. --Chris > > Best regards, > > Mina > https://alpha.pkgbase.live/ > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?a2e5664621d15cd1833cbe74e49f5868>