alt.hn

4/7/2026 at 7:54:06 PM

Cells for NetBSD: kernel-enforced, jail-like isolation

 https://netbsd-cells.petermann-digital.de/

by akagusu

4/7/2026 at 8:17:30 PM

I’ve seen a few posts about security extensions for NetBSD over the past several months and most of them build on top of the kauth(9) and secmodel(9) frameworks. I was one of the people who worked on these about twenty years ago (!) and I just wanted to say it’s heartwarming to see people still find our work useful and valuable today. Thank you. :)

by eladx

4/7/2026 at 10:09:19 PM

I followed your and @blymn's work then, and filed a bug report against veriexec. blymn gently improved the characterization of the problem and fixed it. That led me to start studying lex/yacc, instead of just treating them like magic.

Thanks for your work.

by bch

4/7/2026 at 10:56:43 PM

This describes it as more lightweight than other options, but the "Declarative Apply Plan" feature actually seems more feature rich than FreeBSD jails. Very cool feature; actually something I would like on the host.

by yjftsjthsd-h

4/7/2026 at 7:54:06 PM

Cells for NetBSD is an early-stage but steadily maturing system for lightweight, kernel-enforced isolation on NetBSD.

It closes the operational gap between simple chroot environments and full virtualization platforms such as Xen.

by akagusu

4/7/2026 at 11:01:08 PM

Excuse my ignorance, but does this functionally mean we can treat this as a 'microkernel' a la minix? I always liked the 'tiny protected subsystem' in Ring 0, then a Ring 1 for Drivers (which are restartable, and dynamically loadable), then one or two rings for User processes (maybe Ring 2 for 'ls' etc and Ring 3 for typical user processes).

I am also curious: What hardware enhancements would benefit 'lightweight, kernel-enforced isolation' ? Do we need memory tags? HW Capability Lists? ?

( I believe we've concentrated far too much in making "damn fast pdp-11s" with our hardware advances, and far less on building Reliable Systems -- even if a few percent of peak possible performance is consumed by extra HW. )

by GeorgeTirebiter

4/7/2026 at 9:32:00 PM

And before anybody speculates too much about Matthias use of "jail-like":

I think this can make a lot of sense, because there are many situations, in particular in embedded systems, where you can and should confine at a much smaller scale than jails are really convenient for.

It will also be interesting to see if "Cells" can make inroads in the territory the original ACL abandoned, because writing the rules was so complex that it amount to parallel meta-anti-software development.

Hat tip to Matthias from here.

by phkamp

4/7/2026 at 9:33:17 PM

I'm far from familiar with Linux, is this very different from cgroups?

by Pay08

4/7/2026 at 10:58:04 PM

It's kind of in the middle? It's doing more than just cgroups, but less than eg. docker.

by yjftsjthsd-h

4/8/2026 at 12:02:38 AM

Cell as in jail cell, huh

by stevefan1999

4/7/2026 at 10:00:37 PM

I think the write up and rationale and FAQ are near perfect. It's a KISS pure NetBSD model, it's deliberately reductionist and it discusses reasoning and why it differs or is an analogue of other systems.

I probably won't be using it because my core investment on FreeBSD does what I need but I think it's interesting.

by ggm

4/8/2026 at 3:30:53 AM

Agreed on both counts - excellent write-up.

I use FreeBSD jails and get a lot of value out of separate network stacks for each (vnet jails).

Would the NetBSD approach here be to lean more heavily on your lan infra to register hostnames with static addresses (pointing at NetBSD host) and then run a host proxy to forward & port-map to the relevant cell? Or is this the wrong kind of use-case for cells?

by bb01100100

4/8/2026 at 4:55:36 AM

I don't personally like proxies, intermediaries, but that said they've been entirely normalised by kubernetes/traefik/haproxy type setups. I do find managing the bridge pseudo-devices, and the various bindings, and DHCP/SLAAC a bit painful because I actually don't understand it well.

I use bastille, and it seems to "just work" and I looked at Sylve and it had huge potential. When I ask for some ELI5 on bridge/net stuff, I don't get traction so my confusion remains.

I think a lot of people enable NAT methods which aren't that far removed from a host proxy or port-map. I don't like NAT (see comment above about k8s)

by ggm