Opened 9 hours ago
Last modified 9 hours ago
#19455 new enhancement
Sandboxing / Jailing Haiku applications / services
| Reported by: | kallisti5 | Owned by: | nobody |
|---|---|---|---|
| Priority: | normal | Milestone: | Unscheduled |
| Component: | System | Version: | R1/beta5 |
| Keywords: | jail, sandbox, chroot | Cc: | |
| Blocked By: | Blocking: | ||
| Platform: | All |
Description (last modified by )
I was thinking bit on https://discuss.haiku-os.org/t/showcase-mariadb/16456 , and we really should look into some kind of simple, standardized way to sandbox / jail applications.
We already do this today somewhat with haikuporter via the chroots.
Thoughts:
- Mounting essential packages (haiku, etc) read only in a chroot at a standardized location
- Control various permissions reaching outside of this chroot in a simplistic user-friendly way (network, hardware, etc)
- Adding support to launchd for sandboxing long-running services
- Adding tools to run applications in a sandbox and specifying the dependent OS packages.
We're desktop focused with everything running as uid 0. Instead of relying on non-root / non-administrative users for permission sandboxing of applications, lets do it the more modern way and make a framework around it.
tl;dr.. haiku "containers" without the complexities of oci, docker, multiple distros, etc.
"Haiku Jails" if you're a BSD person :-)
This all starts by simplifying the chroot process with official os provided tools, and adjusting Haikuports to use them instead of doing everything itself.
Change History (3)
comment:1 by , 9 hours ago
| Description: | modified (diff) |
|---|
comment:2 by , 9 hours ago
comment:3 by , 9 hours ago
A bit more information on how haikuporter does it. (The logic is pretty spread out in the Haikuporter code)
To be clear, i'm not proposing containers on Haiku. Someday (tm) we can add podman and podman-machine (running a Linux VM for container development)
This is more of a native "BSD-like Jails" path