undefined | Better HN

0 pointstrasz4y ago0 comments

They are completely different mechanism for doing different kind of stuff. Firejail sounds like something closer to Capsicum, but without the security model.

0 comments

4 comments · 2 top-level

tome4y ago· 2 in thread

Could you elaborate on the differences? As far as I understood it firejail, or rather the Linux features that it depends upon, is far more powerful than FreeBSD jails.

traszOP4y ago

From what I understand, firejail is a "syscall filter". This moves it to the same category as capsicum (https://www.freebsd.org/cgi/man.cgi?capsicum), but without Capsicum's security model, instead implementing something ad-hoc, probably by using Linux' seccmp.

Jails, on the other hand, are not a sandboxing mechanism - they are system-level virtualization, like Linux namespaces, but with a simpler interface. You can use it for sandboxing, but it's not what the mechanism fundamentally is.

heavyset_go4y ago

Firejail does more than just syscall filtering.

1 more reply

stjohnswarts4y ago

I was under the impression they were like jails, to sandbox a program and make it more siloed off and secure? Whatever the underlying mechanisms for obtaining that. I'll research some more I guess.

j / k navigate · click thread line to collapse