I've been researching possible operating systems to host websites and am interested in security. I really like the FreeBSD jail system and understand that OpenBSD discontinued it's jail system some years back due to the possible exploitation of race conditions. My general question is: is it feasible to write a jail in C that is not dependent on the alteration of OpenBSD's source code? Or is it necessary to make adjustments in the kernel etc. in order for a jail to properly work?
For instance, could one write a wrapper for the new virtual machine in OpenBSD (vmm) that would essentially make it impossible for a user to access anything outside of the virtual machine? Or is this basically not possible because there would always be a way to break into the system due to either how OpenBSD is coded or how C interacts with it?
No and Yes.
The entire point of jails is to partition a system into several independent mini-systems. They all sharing the same kernel and significantly less overhead than a VM.
OpenBSD does support
chroot(8)but jail functionality is far more than chroot. For example, if your chroot environment were to be compromised you could break out of the chroot environment. This would allow root control of the entire system. If you have a compromised jail, they only have root on the jail.