Hi All,
I hope that everyone is doing well today.
Recently, I have mostly stepped away from Linux, FreeBSD, and
Windows OS's to dive into Illumos and its associated OS's
(SmartOS, OmniOS, and OpenIndiana) to gain more experience so that
I an work on a new Illumos based OS.
For my project direction and in addition to the amazing features
that Illumos-based systems have like Zones which are extremely
useful, I also have a need for application sandboxes and found
that Solaris 11.4 discusses it from what I could find
(https://blogs.oracle.com/solaris/post/application-sandboxing-in-oracle-solaris-114)
and
(https://docs.oracle.com/cd/E37838_01/html/E61023/dlp-sbox.html)
and seem to be built into the OS.
Since I am not yet familiar with the Illumos code-base and am also
still new this arena, I wanted to ask if Illumos has an
application sandbox feature already.
Not in that form or anything like it, no.
You could use ppriv to limit application privileges, which provides some of the sandboxing
capability. One thing we don't have as far as I'm aware is the ability to restrict access to a
list of files, which would be convenient.
Additionally, I found that there basically are "Sparse Root Zones
(SRZ)" and "Whole Root Zones (WRZ)" as well that basically map
various Global-Zone file directories into the non-Global Zone, and
it made me wonder about Sandboxes and also perhaps non-global
zones that are mapped with even less directories than SRZ.
In Tribblix I have this thing called mvi zones, where the zone just has an application and
whatever files necessary for it to run. In the case of applications written in go, this can be
a very small list indeed (libc, nsswitch, and basic contents of /etc). Sort of like docker
images. Ought to finish that project off one of these days, it's just a prototype at the moment.
I've also played around with running desktop apps sandboxed in regular zones, rather like
Qubes. It works after a fashion, but performance needed some improvement.
Anyway, I am just thinking about some ideas for the project but
application sandboxes would be extremely useful since I think that
they are even smaller than the SRZ zones.
Any thought, ideas or suggestions would be greatly appreciated.
Thanks in advance and have a great day,
Lonnie