Just a thought… Wouldn’t it be nice if capsicum in #FreeBSD could be used in such way that you didn’t need to alter binaries, but from e.g. daemon(8) which would jail your binaries with the restricted capabilities
@mpts@rvstaveren if you just want to use jails for all services you can modify rc.subr to add a new jailing feature where it just shares the same root filesystem but all the services you specify are in a jail with some lowered capabilities and it behaves like a cgroup in that fashion
I wish some people took this seriously and pushed it as a core feature because it would rule
@feld@mpts yes definitely! The reason I mentioned capsicum was that the jailing could even go deeper than that and keep processes unprivileged right from the start
"As Arm expands its reach into new technology domains, it is important to understand FreeBSD's role in this journey to gain insights into broader industry trends."