A Box API without the Sand

Mina Galić me+freebsd at igalic.co
Thu Jan 7 19:42:32 UTC 2021 

Hello FreeBSD developers

I’m trying to find an (existing) API on FreeBSD which allows me to box in a process and all of its descendants. That box should be easy to identify, and allow process management, accounting and resource management.

Unfortunately all boxes Iʼm finding come pre-filled with Sand that’s impossible to get rid of, or lack some of the other requirements.

An analogue for such an API can be found in Solaris Contracts and Linux Cgroups.

Cgroups are extensively used in many init implementations on Linux to contain, identify and control services.
Personally, i used contracts on Solaris for that very purpose, in an in-house deployment software, long before systemd was hip.

I would like to do something like that in init/rc on FreeBSD. But i can’t seem to find an API that fits the bill.

The normal POSIX process management facilities, like process groups and process sessions are too easy to escape. But given their primary use is job control, that’s a feature, not a bug. Either way, they can be ruled out.

The closest we have are jail(2) and Capsicum(4), as well as the functions supplementing the latter, such as pdfork(2) & co.

Jails are really good at containing and identifying process groups, and for managing their resources.
However, jailing every single daemon on a system, while desirable by some, would make many daemons useless. sshd and monitoring software are my prime examples, but there are probably many more.

Capsicum, again, seems more concerned with the Sand than the box: i cannot seem to find anything that would help identify a process group. Except for pdfork(2)'s procdesc(4).

Fortuitously, these can be used independently of Capsicum, so that means we have an identity and control, but i can’t find any information on whether all descentants will remain within the same procdesc.

That’s as far as my research has gotten me, so before i dig myself any deeper, i’d like to ask for your help.

And, most importantly, if no such API exists yet, where to start in adding it, or modifying an existing API to suit these requirements?

Best regards,

Mina
https://alpha.pkgbase.live/

More information about the freebsd-hackers mailing list