freebsd idea: “user jails”.
inspired by the new service jails in 15.0, but for users. when a user logs in, their shell process is put into a newly created jail called “usrj-<uid>”, or added to the existing jail of that name if there is one. the jail would have its root filesystem set to / (like service jails do), so things would look the same from the user's point of view, just with fewer privileges.
which users to jail and the jail privileges to give them could be specified in /etc/login.conf, and a default template could be supplied that provides the most common options (like ip4=inherit ip6=inherit). the administrator could provide custom restrictions to e.g. restrict a user to a particular set of IP addresses.
ideally, this would eventually allow restricting what files a user jail is allowed to read/write, separately from DAC permissions, and perhaps some other things.
what do you think?
i very interested in applications like this which treat lightweight jails as basically "FreeBSD cgroups" (or "FreeBSD process contracts", in Solaris terminology).