Process Isolation

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Process Isolation

Charlie Burnett
Hey y'all,

Sorry if this has been answered before but I couldn't find a satisfactory
answer searching for it, and this is more of an academic question. So
security focused Linux distros like Qubes go to extremes to
compartmentalize/isolate any and all programs it can. FreeBSD has it's jail
program which is seemingly the gold standard for process isolation when you
can't be bothered to go to the extent Qubes does. I've been trying to read
as much OpenBSD source as I can as I find some of the security tricks
y'all've come up with damn interesting. I know that once upon a time we had
sysjail, but nowadays we have just have chroot which most systems do. What
is OpenBSD's solution to this? I'm sure I've read through it I just didn't
realize the purpose.

I apologize if this was a question I've somehow missed the answer to!
Reply | Threaded
Open this post in threaded view
|

Re: Process Isolation

Janne Johansson-3
Den tors 6 feb. 2020 kl 10:22 skrev Charlie Burnett <[hidden email]>:

> Sorry if this has been answered before but I couldn't find a satisfactory
> answer searching for it, and this is more of an academic question. So
> security focused Linux distros like Qubes go to extremes to
> compartmentalize/isolate any and all programs it can. FreeBSD has it's jail
> program which is seemingly the gold standard for process isolation when you
> can't be bothered to go to the extent Qubes does. I've been trying to read
> as much OpenBSD source as I can as I find some of the security tricks
> y'all've come up with damn interesting. I know that once upon a time we had
> sysjail, but nowadays we have just have chroot which most systems do. What
> is OpenBSD's solution to this? I'm sure I've read through it I just didn't
> realize the purpose.
>
> I apologize if this was a question I've somehow missed the answer to!
>

Almost looks like you missed the question while posting the answer.
You list some-linux does X, fbsd does Y, obsd does Z (which you find damn
interesting!) and then ask "what is openbsds solution to this?".

As of now, Z is the list of mitigations openbsd does, and that is.. the
solution to "this".

--
May the most significant bit of your life be positive.
Reply | Threaded
Open this post in threaded view
|

Re: Process Isolation

Kevin Chadwick-4
In reply to this post by Charlie Burnett
On 2020-02-06 07:59, Charlie Burnett wrote:
> I apologize if this was a question I've somehow missed the answer to!

OpenBSD takes a more fine grained approach in isolating functions rather than
whole programs ideally by the person best suited to do the job (the program
developer). Isolating whole programs has proven not to work very well,
especially on Intel ;)

https://www.openbsd.org/papers/bsdcan2019-unveil/index.html

Reply | Threaded
Open this post in threaded view
|

Re: Process Isolation

John M
In reply to this post by Charlie Burnett
On Thu, Feb 6, 2020, 4:22 AM Charlie Burnett <[hidden email]> wrote:

> Hey y'all,
>
> Sorry if this has been answered before but I couldn't find a satisfactory
> answer searching for it, and this is more of an academic question. So
> security focused Linux distros like Qubes go to extremes to
> compartmentalize/isolate any and all programs it can.
>

Qubes uses a hypervisor like kvm/qemu iirc, and the equivalent for OpenBSD
would be vmm/vmd.

>
Reply | Threaded
Open this post in threaded view
|

Re: Process Isolation

Cal Ledsham

Sent via BlackBerry® from Telstra

-----Original Message-----
From: "Johnathan M." <[hidden email]>
Sender: [hidden email]
Date: Thu, 6 Feb 2020 08:26:05
To: Charlie Burnett<[hidden email]>
Cc: <[hidden email]>
Subject: Re: Process Isolation

On Thu, Feb 6, 2020, 4:22 AM Charlie Burnett <[hidden email]> wrote:

> Hey y'all,
>
> Sorry if this has been answered before but I couldn't find a satisfactory
> answer searching for it, and this is more of an academic question. So
> security focused Linux distros like Qubes go to extremes to
> compartmentalize/isolate any and all programs it can.
>

Qubes uses a hypervisor like kvm/qemu iirc, and the equivalent for OpenBSD
would be vmm/vmd.

>