0

Chroot is not good option as stated at many places due to root process can easily exit the chroot

Is there any way to isolate the user space completely in *nix based systems?

Community
  • 1
user2632528
  • 95
  • 8
  • You are probably looking for Linux containers https://en.wikipedia.org/wiki/LXC and their equivalents in other *nix systems. – Not Now Feb 26 '16 at 07:05
  • No. There isn't. Operating system level virtualization solutions like OpenVZ and LXC don't really accomplish that goal; `sysenter` (or `int $0x80`, on ia32) still escapes to the kernel. Unless you just meant "I don't want kernel processes visible under `/proc`, and I want standard IPC mechanisms to fail", in which case... Drink the container-based-virtualization Kool-Aid. – Parthian Shot Feb 26 '16 at 07:15

1 Answers1

2

You ask "how to isolate user processes from kernel processes completely". The answer is that you can't, and shouldn't; the kernel provides many essential services to userspace. Any user process that can't talk to the kernel at all can't use virtual memory, or a filesystem, or the network, or inter-process communication, or any number of other services the kernel is gatekeeper and housemaid for - and therefore it can't do much except tiny numerical computations that it can never tell anyone about.

chroot, containerisation, and virtualisation provide increasing levels of isolation for environments. Each has different costs, pros, and cons, and they should not be confused with each other - or with physical separation. Which you want will be dependent on your needs, which usually proceeds from a threat model and the resultant analysis. So decide what you want to protect, and from whom, and consider opening a new question.

But the answer to this one is: no, and for good reason.

Edit: I understand what you want, but you can't have it: the kernel is there for a good reason. You can mitigate the risks of a suborned daemon suborning the kernel (least-possible privilege, privilege separation, SELinux or similar MACs, chroot/containerisation to constrain FS access, etc.), but in the end userspace has to be able to talk to the kernel, kernels are buggy too, and these bugs can sometimes be exploited. Keep up with your patches!

We all do what we can, then hope for the best. If your best is not good enough for you, you will need to get professional help in.

MadHatter
  • 78,442
  • 20
  • 178
  • 229
  • I want to separate some daemon process(eg. tomcat running on 8080 and other third party application) so, that it is impossible to get exploit the same to get access to kernel processes. Further i would like end-user of system to isolate from kernel process as far as possible for same reason as above. – user2632528 Feb 26 '16 at 12:47
  • @user2632528 please, do not turn this into a chameleon question (ie, keep changing it in response to each answer or substantive comment). You've had your question, *as you asked it*, answered. – MadHatter Feb 26 '16 at 13:02