Contributed by merdely on from the get-out-of-jail-free dept.
Kristaps Dzonsons writes:
sysjail, sysjail.bsd.lv, is a user-land virtualisation system first released early last year. The primary goal of sysjail is to provide the functionality of FreeBSD's jail(8) to OpenBSD (and NetBSD) users. Since November, the project has quieted, but in the past few months I've had opportunity to fix outstanding bugs. Since then, sysjail has been nearly completely re-written and needs testing to stabilise.
The list of changes is considerable, but the most visible is emulation. sysjail now supports emulated FreeBSD and Linux binaries, in effect allowing emulated binaries to have the same containment as native binaries. Overshadowing this visible change is cleanliness: the system has been re-written with an stricter eye toward clean, manageable code. Other notable improvements: prisons may be internally shut down with standard calls to shutdown(8) and the reboot(8) family, IPV6 is supported, multiple addresses are supported, sysjail(3) is droppable into any source tree, etc. Many, many bug-fixes join these new features.
In order to put sysjail into stable/maintenance mode, I need rigorous testing. Internally, we use sysjail with httpd and sshd, but this is minor use of a potentially powerful tool. The emulation isn't well-tested either: my understanding of the system calls arises from examination of the compat sources, which may not be correct. Some of Linux's semantics, especially socketcall(2), are particularly crufty.
sysjail has its lusty eyes on being stable and totally transparent in terms of security expectations. With this done, I can slap a "stable" sticker on the sources and put them in maintenance mode. A noble goal. If you've used sysjail before, or are interested in jail(8)-like facilities, please test and submit bugs! --bsd.lv
Editor's note: I briefly played with sysjail the other day to set up a jailed web/ssh server on -current. My end goal is to allow users I host websites for to scp/sftp their website files to their website directory without having access to the rest of the system. It was not difficult to set up and it works pretty well.
(Comments are closed)