Malicious root user sandboxing
Eugene Grosbein
eugen at grosbein.net
Sun May 17 00:29:19 UTC 2020
17.05.2020 7:02, Ihor Antonov wrote:
> So far it seems that my endeavor is doomed. Any comments or suggestions are
> appreciated.
You'll need to write and test lots of kernel-level code to achieve this.
I'd suggest you re-think your decision about jails because it seems jails can really be the solution
if you combine jail with other system abilities. For example, sharing subtree
with r/o access is easily achieved using read-only nullfs mount.
Also, shared PAM does not mean duplication of system user database,
take a look at: man -k pam_|fgrep '(8)'
Usage of jails does not require any modification of the application.
I did it for multiple setups and it works perfectly.
As last resort, you may run nested FreeBSD system using bhyve(8).
More information about the freebsd-security
mailing list