Can I use OpenBSD as an ultra-secure host for virtual machines?

bump for interest

get a grsecurity kernel instead
oh wait

It only has Qemu (despite Q standing for quick it's pretty slow) and native vmm that can only run BSDs and non-systemd Linux distros (Alpine is good for this).

File: goatse security.png (11KB, 256x197px) Image search: [Google]

11KB, 256x197px

>>62111351
>OpenBSD
How can something be secure if you leave it open?

>>62111351
>OpenBSD
>claims to be secure
>no mandatory access control
>no namespaces
>no sandboxing methods
>no jails
OpenBSD gives you no way to contain or restrict the execution of untrusted or buggy code.
It's only secure if you don't install anything besides the base system.
I'll just stick to GNU/Linux, since it's actually secure.

>>62112293
MAC is for retards who chmod 777 everything

>>62112346
>OpenBSD gives you no way to contain or restrict the execution of untrusted or buggy code.
I want to be proven wrong.

>>62112358
chroot, pledge, vm running ramdisk
you can write sandbox with pledge that preopens desired file or sets allowed syscall groups under 100 loc

>>62112293
GNU/Linux is anything but secure, even FreeBSD has better security.

If you don't want to use OpenBSD, then don't use it, don't come here trying to get us to change your opinion. It is obvious you don't know anything about OS security (sandboxing, pledge, jails, VM's) etc so why not do some research first?

>>62113562
>If you don't want to use OpenBSD, then don't use it
I can't use it even if I wanted to because nodrivers.

>>62112293
fun fact:
the only firewalls the german government is used for outside facing ports do run on openBSD.
Despite their really shitty interface they are actually pretty good though

>>62113582
Yet more rubbish, i don't even know where this meme comes from. OpenBSD driver support is on par with GNU/Linux or at least very close.

>>62112434
>pledge
do I need to edit the source code of the program I want to use it on?

File: cat3.jpg (46KB, 500x356px) Image search: [Google]

46KB, 500x356px

>>62112293
why would you run untrusted and buggy code?

>>62113582
its a server os. it does not need drivers for gaming devices.

>>62113902
literally anything not in the base system could be malicious or buggy
doesn't matter how small the chances are

>>62112293
>the same post every single time

>>62113893
Pledge is primarily a tools for developers so making generic sandbox is not what it shines in. It's possible inject wrapper around program with LD_PRELOAD without ever touching or seeing source code of that program.

>>62113916
What does the base system include then?
Does it have a firewall, dns, web server, dhcp, etc, vpn, infiniband routing, etc?

File: mgp00015.jpg (53KB, 1024x768px) Image search: [Google]

53KB, 1024x768px

>>62112434
>chroot
>vm
are you kidding me?
>pledge
lmao are you fucing kidding me

>>62114001
everything in the base system supposedly is heavily audited
the same can't be said for the ports tree

>>62113950
>the same non answers and answers providing non solutions or too complicated solutions every thime

>>62112293
>OpenBSD gives you no way to contain or restrict the execution of untrusted or buggy code.
Everything you need is already there. You won't run untrusted or buggy code if you don't install any other programs. The world has not changed since 1983. Obey the bsd gods.

>>62114001
yes on all except infiniband routing
also load balancer (relayd)
modified Xorg (xenocara) and basic environement (xterm, tmux, wm)
OpenSSH obviously
network redundancy with CARP
VPN with IPSec and IKED
ntpd, smtpd
better list might be this: https://www.openbsd.org/innovations.html

>>62114021
what's so bad about chroot?

>>62114413
chroot is insecure by design https://github.com/earthquake/chw00t

>>62112434
>chroot
insecure, not a solution
>vm running ramdisk
too much overhead for something as simple as restricting access for every single 3d party program
>pledge
sorry, I'm not gonna waste my time editing the source code of every application I use and figuring out which system calls it does or does not need

>>62111351
Use VmWare ESXi. Or SmartOS.

>>62114445
at least grsec on linux has some fixes for it

>>62112293
ok I'm curious, what system do you run and how do you restrict media player, browser, libreoffice or similar, and anything at all?

>>62115199
>what system do you run
arch linux
>how do you restrict media player, browser, libreoffice or similar, and anything at all
firejail, apparmor

>>62111351
Why BSD? Solaris(SmartOs) is much better choice for VM host.

>>62111351
No. It's not secure and the hypervisor is terrible.

Are there any reasons to use OpenBSD, besides "security"?
Should I just use FreeBSD if I want a BSD to dick around with?

>>62119160
>Are there any reasons to use OpenBSD, besides "security"?

only you can really answer this question. they're not trying to sell you anything so you you have to evaluate your own situation.