In Linux it also needs mprotect() to change the permissions on the page so it can write it. The OpenBSD man page[0] indicate that it supports this as well, though notes that not all implementations are guaranteed to allow it, but my guess is it would generally work.

[0] https://man.openbsd.org/mprotect.2

I've been thinking about adding support for this kind of stacking to DACT [0].

[0] http://dact.rkeene.org/

It's more like doing Linux services the UNIX(TM) way since it's more similar to other UNIX service managers like SMF from Solaris or SRC from AIX in the integration -- NT's service manager requires an active event loop which responds to messages.

As an aside, the reason I don't like systemd is because it's inferior to its UNIX counterparts -- especially SMF -- for system management.

AppFS (my project) and CERN VMFS do this, if I understand you correctly.

I've used seccomp in the past to create a read-only root.

I created a seccomp DSL to make this kind of stuff easier [0] (an example of dropping network access is at [1])

[0] https://chiselapp.com/user/rkeene/repository/bash-drop-netwo...

[1] https://chiselapp.com/user/rkeene/repository/bash-drop-netwo...