Cells for NetBSD: kernel-enforced, jail-like isolation

akagusu

Cells for NetBSD is an early-stage but steadily maturing system for lightweight, kernel-enforced isolation on NetBSD. It closes the operational gap between simple chroot environments and full virtualization platforms such as Xen.

eladx

I’ve seen a few posts about security extensions for NetBSD over the past several months and most of them build on top of the kauth(9) and secmodel(9) frameworks. I was one of the people who worked on these about twenty years ago (!) and I just wanted to say it’s heartwarming to see people still find our work useful and valuable today. Thank you. :)

phkamp

And before anybody speculates too much about Matthias use of "jail-like": I think this can make a lot of sense, because there are many situations, in particular in embedded systems, where you can and should confine at a much smaller scale than jails are really convenient for. It will also be interesting to see if "Cells" can make inroads in the territory the original ACL abandoned, because writing the rules was so complex that it amount to parallel meta-anti-software development. Hat tip to Matthias from here.

Pay08

I'm far from familiar with Linux, is this very different from cgroups?

ggm

I think the write up and rationale and FAQ are near perfect. It's a KISS pure NetBSD model, it's deliberately reductionist and it discusses reasoning and why it differs or is an analogue of other systems. I probably won't be using it because my core investment on FreeBSD does what I need but I think it's interesting.

yjftsjthsd-h

This describes it as more lightweight than other options, but the "Declarative Apply Plan" feature actually seems more feature rich than FreeBSD jails. Very cool feature; actually something I would like on the host.

stevefan1999

Cell as in jail cell, huh