On Tue, Oct 24, 2023 at 11:07:14AM -0500, Serge E. Hallyn wrote: > In 2005, before namespaces were upstreamed, I posted the 'bsdjail' LSM, > which briefly made it into the -mm kernel, but was eventually rejected as > being an abuse of the LSM interface for OS level virtualization :) > > It's not 100% clear to me whether Stefan only wants isolation, or > wants something closer to virtualization. > > Stefan, would an LSM allowing you to isolate certain processes from > some abstract unix socket paths (or by label, whatever0 suffice for you? > My intention was to find a clean way to isolate abstract sockets in network applications without adding dependencies like LSMs. However the entire approach of using namespaces for this is something I have mostly abandoned. LSMs like Apparmor and SELinux would work fine for process isolation when you can control the target system, but for general deployment of sandboxed processes, I found it to be significantly easier (and more effective) to build this into the application itself by using a multi process approach with seccomp (Basically how OpenSSH did it) - Stefan
