1

I've been researching possible operating systems to host websites and am interested in security. I really like the FreeBSD jail system and understand that OpenBSD discontinued it's jail system some years back due to the possible exploitation of race conditions. My general question is: is it feasible to write a jail in C that is not dependent on the alteration of OpenBSD's source code? Or is it necessary to make adjustments in the kernel etc. in order for a jail to properly work?

For instance, could one write a wrapper for the new virtual machine in OpenBSD (vmm) that would essentially make it impossible for a user to access anything outside of the virtual machine? Or is this basically not possible because there would always be a way to break into the system due to either how OpenBSD is coded or how C interacts with it?

  • Well yeah, if you run OpenBSD in a VM, then you should be able to constrain it to that VM. The OS might run more efficiently in such an environment if it has built-in hooks for that, but a vanilla kernel ought to not to completely fail. A virtual machine manager is a complex piece of software, however. It probably is not feasible for you to *write* one yourself. – John Bollinger Jun 01 '17 at 18:07
  • I mean if I'm running a VM on OpenBSD, not if I run OpenBSD on a VM. There is a VMM already on OpenBSD, I'm asking about whether or not a wrapper can be created for it, not about writing my own VM. –  Jun 01 '17 at 18:19
  • And what do you imagine is running *in* your VM? By your analogy with the FreeBSD jail system, it would be the same as the host OS, i.e. OpenBSD, so yes, you do seem to be talking about running OpenBSD in a VM. – John Bollinger Jun 01 '17 at 18:25
  • Anyway, your question was "is it feasible to write a jail in C that is not dependent on the alteration of OpenBSD's source code?" Forgive me for taking away the mistaken impression that you were asking about writing software yourself to implement something jail-like (such as a VMM). – John Bollinger Jun 01 '17 at 18:29
  • If you in fact mean to ask specifically about using OpenBSD's existing VMM, then it would be helpful for you to explain what aspects of it lead you to believe that any kind of wrapper at all would be necessary. – John Bollinger Jun 01 '17 at 18:30
  • It's not necessarily true that I would want to host only OpenBSD installations on the VM's created as a subset of the larger OpenBSD system. In terms of wrapping a VM I'm not entirely sure it's the best example, but it's the first I thought of. It may be more accurate to say it would be nice to be able to run both a VM and a jail on OpenBSD as full virtualization is not necessarily desire-able for all applications. –  Jun 01 '17 at 18:52

1 Answers1

1

Is it feasible to write a jail in C that is not dependent on the alteration of OpenBSD's source code? Or is it necessary to make adjustments in the kernel etc. in order for a jail to properly work?

No and Yes.

The entire point of jails is to partition a system into several independent mini-systems. They all sharing the same kernel and significantly less overhead than a VM.

OpenBSD does support chroot(8) but jail functionality is far more than chroot. For example, if your chroot environment were to be compromised you could break out of the chroot environment. This would allow root control of the entire system. If you have a compromised jail, they only have root on the jail.

James Risner
  • 5,451
  • 11
  • 25
  • 47