Heh, as a FreeBSD user primarily, OpenBSD sometimes feels kinda empty to me. No ZFS, no DTrace, no jails, no mandatory access control, no CloudABI, no Linux compat layer…
DTrace would be nice to have, but I believe there are CDDL license concerns.
Jails are a way of isolating services so that they cannot do (much) damage to the system in the event they are compromised. The closest alternative in OpenBSD is probably pledge(2), which allows a program to voluntarily renounce the ability to invoke a set of syscalls. There is also chroot if all you need is filesystem virtualization.
> OpenBSD doesn't support a MAC framework because they believe the best approach to security is correctness, rather than trying to achieve security by adding features which results in more complexity, making it more difficult to ensure correctness. A common mistake people make is thinking that OpenBSD's primary goal is security; their primary goal is correctness. This just happens to result in better security more often than not.
Linux compat is a similar story. OpenBSD dropped it in the 6.0 release due to complexity and security concerns.
pledge is not similar to jails in any way, jails are "chroot on steroids" (isolate network, PIDs, users, etc.)
pledge is more similar to Capsicum. It is simpler to implement in some programs, sure, but:
1) I don't like how pledge just kills the program. Rude. Capsicum refuses the offending operation.
2) Capsicum has an absolutely brilliant feature for directory access — you just open() a file descriptor to a directory, then you cap_enter()… and in the sandbox mode you can use openat() to open files below that directory! This is just so clever. Meanwhile pledge promised a simple directory whitelist option that is STILL NOT IMPLEMENTED :(
CloudABI is a portable ABI that can be described as POSIX plus Capsicum minus anything incompatible with Capsicum. So CloudABI programs start already in capability mode, expecting necessary file descriptors to be already open (there's a launcher tool for that). You can just run CloudABI binaries unmodified on several operating systems and they are always sandboxed, they have no way to access anything you didn't pass to them. CloudABI is out-of-the-box supported on FreeBSD, there are kernel patches for NetBSD and Linux, and a user-mode syscall translator for macOS. https://nuxi.nl/cloudabi/
I agree with both of these sentiments. I think that's because OpenBSD prefers to move more slowly until they can be sure a thing is absolutely right. Innovation in OpenBSD tends to be unsexy and carefully considered. FreeBSD pushes the envelope in a lot of areas to deliver features, with more inherent risk.
Both are valid, and result in very different operating systems. These days most of my work can be fit into the OpenBSD envelope, which makes me feel especially good.
Yeah, SO_PEERCRED, I remember that one. The sway Wayland compositor relies on it to authenticate privileged programs (desktop bars, screensavers, screenshot tools etc.) When I was porting sway, that really annoyed me.
I actually don't disagree with that, all those features would be nice to have in OpenBSD. However, ZFS for example is "just pulled in" from Solaris and seems a little out of place. It works great, but there seems to be no effort to make it feel like belong.
That's not really true. There has been work to follow in TrueOS's footsteps to have a full ZFS root and integrate that with the installer, system upgrade, et al. as TrueOS does. TrueOS has been leading the way for using ZFS for boot environments on FreeBSD. This is far from "no effort".
Fair enough, though that wasn't really what I meant. I was think in terms of reworking the tools or either using the fstab for ZFS or forgo using it for any filesystem.
I completely understand why these thing aren't being done, but not doing them mean that something will remain a little out of place.
