cvs commit: src/sys/kern kern_proc.c

Matthew Dillon dillon at
Tue Feb 1 10:33:48 PST 2005

:While Paul's suggestion was obviously in jest, I'd have to say that it's 
:probably *not* a good idea to implement it, regardless of the expense, 
:unless it can be demonstrated that this can somehow reveal privileged 
:information.  This would defeat programs (e.g., sendmail) which attempt 
:to back off when system load gets too high.

    I think the idea has merit, it just isn't being taken far enough.  What
    we really want here is a 'virtual machine'.  The current jail subsystem
    is still sharing the same kernel resources, data space, and code,
    and thus could still panic the entire system and could still create 
    cross-jail security issues.

    But when it comes right down to it it should be possible to run pretty
    much the entire kernel, minus the device drivers, as a user level process.
    All we really need is some way to manage the VM space for the 'user' 
    processes and route system call requests for those processes to the
    simulated kernel rather then the real kernel.

    This would be a worthy goal.  I think also very doable... and a very, very
    powerful tool.

					Matthew Dillon 
					<dillon at xxxxxxxxxxxxx>

More information about the Commits mailing list