Using bubblewrap to add sandboxing to NetBSD
13 days ago
- #Sandboxing
- #NetBSD
- #Linux Namespaces
- NetBSD currently lacks robust sandboxing techniques, relying only on chroot which offers limited isolation.
- The project aims to implement Linux-like namespaces in NetBSD, starting with UTS and mount namespaces for process and filesystem isolation.
- UTS namespace isolates hostname and domain name, allowing processes to have their own view of system identifiers.
- Mount namespace provides separate mount points for processes, enabling different filesystem views without affecting the host system.
- Implementation leverages NetBSD's kauth subsystem for credential management and secmodels for namespace isolation.
- The project faced challenges including differences between Linux and NetBSD behaviors, complex VFS concepts, and extensive research requirements.
- Future work includes implementing additional namespace types like PID and user namespaces for enhanced isolation and management tools like lsns and setns.
- The project shifted from emulating bubblewrap in compat_linux to directly integrating namespaces into the NetBSD kernel for broader utility.
- The author expresses gratitude to Google Summer of Code, mentors, and the NetBSD community for their support and guidance throughout the project.