LEDE privilege separation

Dear all,

I am looking for a solution for "light" privilege separation in LEDE.

My goal is to make it harder for attackers to break in a system. LXC is not good candidate as it does protect the root account (and it relies on cgroups). So I am inquiring in the direction of cgroup, so we can have fine grained and light privilege separation.

cgroup allows things like:

in '/etc/cgconfig.conf' add :

group limited {
perm {
admin {
uid = your_name;
}
task {
uid = your_name;
}
}
cpu {
cpu.shares = 50;
}
memory {
memory.limit_in_bytes = 2147483648;
}
}

Any reason why cgroup is not available as a module?
Is this because cgroup is tied to systemd and would require too much work and/or space for integration?
Or because cgroup is for large systems?

I am looking for a tool which would "jail" processes, even root processes like NTP, and would make it harder for an attacker to use a zero day attack. Any idea?

Kind regards,
French Fries

Does procd supports jails?
Are jails available in LEDE?

yes
you can add jails with procd via procd_add_jail and similar comands

you can check package/network/services/dnsmasq/files/dnsmasq.init for some inspiration

regarding cgroups ;
i don't know for sure
usually the motivation for any lacking feature in LEDE/OpenWrt is "it's not in because it grows the FW size"
tbh, i don't know how much size cgroups adds to the kernel, but there is a tendency to re-implement a lot of things [in bigger distros] and usually the binaries end up way smaller [ example: ubus vs dbus, netifd + procd vs systemd, etc]