On Tue, 19 May 2020 21:26:02 -0700 "Greg A. Woods" <wo...@planix.com> wrote:
> One of the things I've been hoping to learn in this discussion is > more concretely what the true low-level requirements are, over and above > what can be done with existing chroot and user/login-class rlimits in > order to provide useful isolation of applications. For the purpose of isolation of applications, I'd like to segment the process tree in the same way that chroot segments the filesystem tree. I don't necessarily need a "root" user inside these segments. Semantics similar to chroot, wherein a parent process calls the appropriate system call and from that point forward can only interact with it's child processes - which inherit the same segment - would be perfect. Starting an entire bare metal hypervisor and multiple kernels feels like overkill for this task, especially when plenty of other operating systems have had the ability for a decade or more. And yes, I have looked into curtain mode. It's interesting but does not do this. -- Aaron B. <aa...@zadzmo.org>