Re: Process Isolation
Sent via BlackBerry® from Telstra -Original Message- From: "Johnathan M." Sender: owner-m...@openbsd.org Date: Thu, 6 Feb 2020 08:26:05 To: Charlie Burnett Cc: Subject: Re: Process Isolation On Thu, Feb 6, 2020, 4:22 AM Charlie Burnett wrote: > Hey y'all, > > Sorry if this has been answered before but I couldn't find a satisfactory > answer searching for it, and this is more of an academic question. So > security focused Linux distros like Qubes go to extremes to > compartmentalize/isolate any and all programs it can. > Qubes uses a hypervisor like kvm/qemu iirc, and the equivalent for OpenBSD would be vmm/vmd. >
Re: Process Isolation
On Thu, Feb 6, 2020, 4:22 AM Charlie Burnett wrote: > Hey y'all, > > Sorry if this has been answered before but I couldn't find a satisfactory > answer searching for it, and this is more of an academic question. So > security focused Linux distros like Qubes go to extremes to > compartmentalize/isolate any and all programs it can. > Qubes uses a hypervisor like kvm/qemu iirc, and the equivalent for OpenBSD would be vmm/vmd. >
Re: Process Isolation
On 2020-02-06 07:59, Charlie Burnett wrote: > I apologize if this was a question I've somehow missed the answer to! OpenBSD takes a more fine grained approach in isolating functions rather than whole programs ideally by the person best suited to do the job (the program developer). Isolating whole programs has proven not to work very well, especially on Intel ;) https://www.openbsd.org/papers/bsdcan2019-unveil/index.html
Re: Process Isolation
Den tors 6 feb. 2020 kl 10:22 skrev Charlie Burnett : > Sorry if this has been answered before but I couldn't find a satisfactory > answer searching for it, and this is more of an academic question. So > security focused Linux distros like Qubes go to extremes to > compartmentalize/isolate any and all programs it can. FreeBSD has it's jail > program which is seemingly the gold standard for process isolation when you > can't be bothered to go to the extent Qubes does. I've been trying to read > as much OpenBSD source as I can as I find some of the security tricks > y'all've come up with damn interesting. I know that once upon a time we had > sysjail, but nowadays we have just have chroot which most systems do. What > is OpenBSD's solution to this? I'm sure I've read through it I just didn't > realize the purpose. > > I apologize if this was a question I've somehow missed the answer to! > Almost looks like you missed the question while posting the answer. You list some-linux does X, fbsd does Y, obsd does Z (which you find damn interesting!) and then ask "what is openbsds solution to this?". As of now, Z is the list of mitigations openbsd does, and that is.. the solution to "this". -- May the most significant bit of your life be positive.
Process Isolation
Hey y'all, Sorry if this has been answered before but I couldn't find a satisfactory answer searching for it, and this is more of an academic question. So security focused Linux distros like Qubes go to extremes to compartmentalize/isolate any and all programs it can. FreeBSD has it's jail program which is seemingly the gold standard for process isolation when you can't be bothered to go to the extent Qubes does. I've been trying to read as much OpenBSD source as I can as I find some of the security tricks y'all've come up with damn interesting. I know that once upon a time we had sysjail, but nowadays we have just have chroot which most systems do. What is OpenBSD's solution to this? I'm sure I've read through it I just didn't realize the purpose. I apologize if this was a question I've somehow missed the answer to!