What Jail/Chroot/Sandbox-like mechanisms are available on OpenBSD?

kpalatzky picture kpalatzky · Sep 1, 2016 · Viewed 7.5k times · Source

I have recently started using OpenBSD. And I want to create easy fire-and-forget containers/VM or something es (it should be used as a Sandbox).

The user can upload his source code (C++/Java/Perl), it will be compiled on the Server (OpenBSD), if this was successful, it should execute this File and then return the result to the Web page.

How can I provide this in OpenBSD?

Also, should I use chroot, since 'jail' will be removed in 6.0? Or are there other possibilities to create a "sandbox" in OpenBSD?

Answer

Mathieu Kerjouan picture Mathieu Kerjouan · Sep 1, 2016

Currently OpenBSD doesn't support any "chroot on steroid" mechanism. In the past, same jail feature (named sysjail) was in ports, but removed in 2007 because it was not easy to maintain and pretty insecure. You can find more information about it on stackexchange and with your search engine.

Historically, OpenBSD only support chroot(8) and work exactly like other system:

  1. create an alternative root with userland on it
# create your target chroot
target="/tmp/chroot"
mkdir ${target}

# now build and install your userland
cd /usr
cvs -qz3 -d${repository} co src -r${openbsd_release}
cd /usr/src
make obj && make && make install DESTDIR=${target}
  1. start your daemon or your soft in it
# in root
chroot /tmp/chroot

# run your daemon here
# note: you need to init also dev directory
#       and, eventually, customize /etc/fstab
#       /tmp is currently not allowed to have dev on it
#       please see fstab(5) man page

Lot of software in base support chroot feature, openntpd, openssh, httpd and many others are configured by default in isolated directory.

Now, since OpenBSD 5.9, you can use vmm(4) hypervisor and vmctl(8) in base. You can start your vmd daemon and create isolated container like any other hypervisor (bhyve, xen or kvm).

# from openbsd vmctl man page example
vmctl create disk.img -s 4.5G
vmctl start "myvm" -m 512M -i 1 -d disk.img -k /bsd
vmctl stop 1

You can also use another approach based on software in ports, qemu work pretty well but have poor performance on OpenBSD, due to lake of kernel acceleration support and in parts because of filesystem structure.

Now, concerning your main issue (offer a way of remote compiling source code), I guess the better idea is to truly isolate your code from main system, and using something like vmctl or qemu could be the good answer. Perhaps qemu would be the better, because you can use standard user to execute it, without kernel feature and with lot of network features, but compilation would be really slow.