Re: Call for Foundation-supported Project Ideas

On Wed, 24 Nov 2021, at 21:46, Allan Jude wrote:
>
>> 3. jail creation and usage as non-root
> 
> I was discussing the idea of 'user jails' with a few people around 
> EuroBSDcon. Do you have some specific user cases, and/or ideas of what 
> would be allowed and not allowed?
 
My classic use case is that we do a bunch of CI-like stuff that requires:

- the network stack & jailed pf rules are already set up in advance, as
  it doesn't change in practice for each jail
- delegated zfs permissions to prepare a new jail from template
- mount a few random things into it (tmpfs, nullfs & more zfs, no root reqd)
- *now* I want a jail with the above prepared already

the first 3 can be done already without root. I could totally live with
that as bare bones, but bonus points for:

- there should be an event (a la devd for example) on jail creation, &
  when the jail is complete (or a timeout has occurred) to clean up
= running the entire jail as non-root and unable to escalate to root
- a random uid for the jail user (not just inheriting *curent* user)
- faking zfs permissions to match the random uid (e.g. on mount rewrite www:www as 8000:8000 instead)
- setting more restrictions than than the user's jail already has (cpu/mem resource controls for example)

A+
Dave