I'm trying to chroot() a server that needs to read one readonly pseudo
file from /proc . I tried to pinpoint my options to do so ...
-- The alternative to accessing this one pseudo file would be to grant
the server access to /dev/kmem ... NOT ... ANY ... BETTER!! 8-}
-- Mounting two procfs instances (one normal, one inside the chroot())
and setting restrictive permissions on the latter makes identical
changes to the former. (I assume that'ld be the same for ACLs?)
-- Deploying SELinux ... will have to do a good deal of reading to
even find out what'ld be involved in that ...
-- Mounting a "second" procfs, chroot()ing into the exact subdir the
file is in, and mounting non-procfs stuff (like the etc dir with the
configs) *over* the sub-subdirs (ARGH!) would *happen* to rid me of
all *writable* pseudo files, but still provide read access to way
more info that I'ld want to provide to the server ...
(- I'll try to Use The Source (tm) so that the server will not close the
pseudo file, and does the chroot() itself after opening it, but let's
assume for the sake of the argument that I won't succeed in that.)
Is there an official way (or *should* there be one) to have only *part*
of a procfs mounted into a chroot() jail?
Kind regards,
J. Bern
On Tue, Sep 14, 2004 at 03:30:29AM +0200, Jochen Bern wrote:
> I'm trying to chroot() a server that needs to read one readonly pseudo
> file from /proc . I tried to pinpoint my options to do so ...
>
> -- The alternative to accessing this one pseudo file would be to grant
> the server access to /dev/kmem ... NOT ... ANY ... BETTER!! 8-}
> -- Mounting two procfs instances (one normal, one inside the chroot())
> and setting restrictive permissions on the latter makes identical
> changes to the former. (I assume that'ld be the same for ACLs?)
> -- Deploying SELinux ... will have to do a good deal of reading to
> even find out what'ld be involved in that ...
> -- Mounting a "second" procfs, chroot()ing into the exact subdir the
> file is in, and mounting non-procfs stuff (like the etc dir with the
> configs) *over* the sub-subdirs (ARGH!) would *happen* to rid me of
> all *writable* pseudo files, but still provide read access to way
> more info that I'ld want to provide to the server ...
> (- I'll try to Use The Source (tm) so that the server will not close the
> pseudo file, and does the chroot() itself after opening it, but let's
> assume for the sake of the argument that I won't succeed in that.)
Egads...
mount --bind /proc/whatever/the/fsck/you/want \
/home/jail/wherever/the/fsck/you/want/to/see/it
(assuming that jail is in /home/jail and "mountpoint" exists).
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[email protected] wrote:
| On Tue, Sep 14, 2004 at 03:30:29AM +0200, Jochen Bern wrote:
|
|>I'm trying to chroot() a server that needs to read one readonly pseudo
|>file from /proc . I tried to pinpoint my options to do so ...
|>
|>-- The alternative to accessing this one pseudo file would be to grant
|> the server access to /dev/kmem ... NOT ... ANY ... BETTER!! 8-}
|>-- Mounting two procfs instances (one normal, one inside the chroot())
|> and setting restrictive permissions on the latter makes identical
|> changes to the former. (I assume that'ld be the same for ACLs?)
|>-- Deploying SELinux ... will have to do a good deal of reading to
|> even find out what'ld be involved in that ...
|>-- Mounting a "second" procfs, chroot()ing into the exact subdir the
|> file is in, and mounting non-procfs stuff (like the etc dir with the
|> configs) *over* the sub-subdirs (ARGH!) would *happen* to rid me of
|> all *writable* pseudo files, but still provide read access to way
|> more info that I'ld want to provide to the server ...
|>(- I'll try to Use The Source (tm) so that the server will not close the
|> pseudo file, and does the chroot() itself after opening it, but let's
|> assume for the sake of the argument that I won't succeed in that.)
|
|
| Egads...
|
| mount --bind /proc/whatever/the/fsck/you/want \
| /home/jail/wherever/the/fsck/you/want/to/see/it
|
| (assuming that jail is in /home/jail and "mountpoint" exists).
Jochen,
you can also --bind only one file. But you must create the file first:
# mkdir /var/jails/jail1/proc
# touch /var/jails/jail1/proc/cpuinfo
# mount --bind /proc/cpuinfo /var/jails/jail1/proc/cpuinfo
Regards,
Nuno Silva
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFBR7ngOPig54MP17wRAuL9AKCnrrHSuAxGZTz0P53JthkMIF9wHgCeOMam
kv9QDqkpnAqB+XzVcTKNyIo=
=lJiN
-----END PGP SIGNATURE-----