Date: Thu, 25 Nov 2021 13:33:30 +0000 From: "Dave Cottlehuber" <dch@freebsd.org> To: "Allan Jude" <allanjude@freebsd.org> Cc: "FreeBSD Hackers" <freebsd-hackers@freebsd.org> Subject: Re: Call for Foundation-supported Project Ideas Message-ID: <da4fbb10-4a32-4efc-b3e7-720a0a0cb825@www.fastmail.com> In-Reply-To: <246adde5-6a7a-4102-abb4-16c766ea78d1@freebsd.org> References: <861r36xzpe.fsf@phe.ftfl.ca> <66b556bf-e797-483b-b377-182859be572a@www.fastmail.com> <246adde5-6a7a-4102-abb4-16c766ea78d1@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 24 Nov 2021, at 21:46, Allan Jude wrote: > >> 3. jail creation and usage as non-root > > I was discussing the idea of 'user jails' with a few people around > EuroBSDcon. Do you have some specific user cases, and/or ideas of what > would be allowed and not allowed? My classic use case is that we do a bunch of CI-like stuff that requires: - the network stack & jailed pf rules are already set up in advance, as it doesn't change in practice for each jail - delegated zfs permissions to prepare a new jail from template - mount a few random things into it (tmpfs, nullfs & more zfs, no root reqd) - *now* I want a jail with the above prepared already the first 3 can be done already without root. I could totally live with that as bare bones, but bonus points for: - there should be an event (a la devd for example) on jail creation, & when the jail is complete (or a timeout has occurred) to clean up = running the entire jail as non-root and unable to escalate to root - a random uid for the jail user (not just inheriting *curent* user) - faking zfs permissions to match the random uid (e.g. on mount rewrite www:www as 8000:8000 instead) - setting more restrictions than than the user's jail already has (cpu/mem resource controls for example) A+ Dave
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?da4fbb10-4a32-4efc-b3e7-720a0a0cb825>