Bhyves in Jail, Mr. Shawn i need your opinion.

[Ulaş Saygın]

Hi Shawn ,

i want to ask you something.

i want to work with bhyves, i mean more than one virtual machines.

i wanted to use jail and run all bhvyes in jail.

like you did one vm in jail for malbhvye (but i couldnt find latest version. didnt you publish?)

in this case, i will assing public ip addresses for some vms, and some not only local ip but they will have internet access.

i want to create netgraph ipfw and nat network but i could nt be sure about is it necessary.

for security aspect and latest developments of bhvye and freebsd and hardenedbsd.

what do you advice or prefer to use more than one bhves in jail and networking issue for both performance and security aspects.

can you give me an ideas?

thank you very much.

[Shawn Webb]

Hey Ulas,

The primary goal behind the jail integration for bhyve was to be able
to hack on the bhyve userland components while still having a
production-capable bhyve.

Adding jails into the mix does not necessarily increase the security
posture of bhyve. If the kernel component(s) of bhyve are compromised,
one should assume full breach of the host environment. If the userland
component(s) of bhyve are compromised, the ability for an attacker to
accomplish their goals is made very difficult by virtue of bhyve's
existing integration with Capsicum.

I suppose an attacker that has compromised the bhyve userland
component(s) could cause undesired behavior in the guest's execution
environment. But that's true regardless of whether jails are involved.

Where jailing might come in handy is being able to use rctl to place
rate limits on the bhyve guest. That's something worth researching.

Thanks,

--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc