Re: Call for Foundation-supported Project Ideas
- In reply to: Allan Jude : "Re: Call for Foundation-supported Project Ideas"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 25 Nov 2021 13:33:30 UTC
On Wed, 24 Nov 2021, at 21:46, Allan Jude wrote: > >> 3. jail creation and usage as non-root > > I was discussing the idea of 'user jails' with a few people around > EuroBSDcon. Do you have some specific user cases, and/or ideas of what > would be allowed and not allowed? My classic use case is that we do a bunch of CI-like stuff that requires: - the network stack & jailed pf rules are already set up in advance, as it doesn't change in practice for each jail - delegated zfs permissions to prepare a new jail from template - mount a few random things into it (tmpfs, nullfs & more zfs, no root reqd) - *now* I want a jail with the above prepared already the first 3 can be done already without root. I could totally live with that as bare bones, but bonus points for: - there should be an event (a la devd for example) on jail creation, & when the jail is complete (or a timeout has occurred) to clean up = running the entire jail as non-root and unable to escalate to root - a random uid for the jail user (not just inheriting *curent* user) - faking zfs permissions to match the random uid (e.g. on mount rewrite www:www as 8000:8000 instead) - setting more restrictions than than the user's jail already has (cpu/mem resource controls for example) A+ Dave