FreeBSD Jails Security

Summary

I believe this topic is not really well discussed online – and often with multiple misunderstandings. There seems to be this general belief that Podman on Linux is as safe as Jails on FreeBSD … lets try to dig into that. Below I will try to show all differences between security of FreeBSD Jails and Podman containers on Linux. The Table of Contents for the article below. General Concepts Podman Jails General Concepts Security Summary Root User Isolation Layers Pure Podman and Jails Podman and Jails with Additional Security Layers Isolation Layers Security Summary Kernel Syscalls Surface Podman Jails Kernel Syscalls Surface Security Summary Dedicated Network Interface Podman Jails Dedicated Network Interface Security Summary Dedicated Firewall Inside Podman Jails Dedicated Firewall Inside Security Summary How Well Battle Tested CVEs Podman Jails CVEs Security Summary Endgame Summary Now lets get into the details. General Concepts Podman Generally to create new container some image from the registry is downloaded – like registry.fedoraproject.org/fedora-minimal:30 for example – and then needed files and packages are added – as needed. There is also an alternative – to use the scratch as ’empty’ image to create a Podman container that only have needed binary inside. Jails Historically Jails were used as a more or less complete FreeBSD system inside – with its own version smaller or equal to the version of the host. The idea is simple – you create a directory (or ZFS dataset) that will be your root and extract there FreeBSD Base System like that. freebsd # mkdir -p /jail/test freebsd # fetch https://download.freebsd.org/releases/amd64/14.2-RELEASE/base.txz freebsd # tar -C /jail/test --unlink -xf base.txz Now some short config at /etc/jail.conf or as separate /etc/jail.conf.d/test file and you can start and use your Jail. Most people do not know that You can use Jails in the same way as Podman or Docker – because there is no need for minimal system image at all. Its even...