I have been trying to use the combination of CLONE_NEWNS and bind mounts
to create a better (than) chroot jail. I wish to have the ability to
bind (ro will be possible in the future, I understand) certain
directories into the jail (perhaps /bin, /lib, /usr), but not have
parallel directories in the jail (no /etc, ..., /home).
I have heard that this should be possible, but have yet to get a working
solution.
I have tried something analogous to:
chdir("/jail");
unshare(CLONE_NEWNS);
/* mount(8) syntax given for simplicity, but mount(2) used below */
mount --bind / /jail/old_root
mount --bind /jail/old_root/bin /jail/bin
mount --bind /jail/old_root/usr /jail/usr
mount --bind /jail/old_root/lib /jail/lib
mount --bind /jail / # does nothing?
umount2("/old_root", MNT_DETACH); # never happens.
exec("bin/sh");
When bin/sh runs, I can still see old_root from /jail and the bind of
/jail over / seems to have not done anything.
Is it possible to create such a jail with bind mounts? Is there a
recommended method for doing so? Thank you for your time.
--
Michael Leibowitz
Software Engineer, UMG
Intel Corporation
michael.leibowitz at intel.com
Quoting Leibowitz, Michael ([email protected]):
> I have been trying to use the combination of CLONE_NEWNS and bind mounts
> to create a better (than) chroot jail. I wish to have the ability to
> bind (ro will be possible in the future, I understand) certain
> directories into the jail (perhaps /bin, /lib, /usr), but not have
> parallel directories in the jail (no /etc, ..., /home).
>
> I have heard that this should be possible, but have yet to get a working
> solution.
>
> I have tried something analogous to:
Try a few more things. Since you had entered /jail, you can view '/' by
looking at .. . But if you look at /, you dereference your
task->fsroot. You never changed that, so it points to the original
mount. If however you 'ls ..', you should see your 'jail' directory.
However it won't have the /bin and /lib mounted because you didn't
mount --rbind /jail /
What you really want to do is
mount --bind /jail /jail
to make sure it's a mountpoint, then set up the new /jail using bind
mounts like you're doing (and likely some rbinds in some places), then
use pivot_root() to change your root. Then umount2("/old_root",
MNT_DETACH).
-serge
> chdir("/jail");
> unshare(CLONE_NEWNS);
> /* mount(8) syntax given for simplicity, but mount(2) used below */
> mount --bind / /jail/old_root
> mount --bind /jail/old_root/bin /jail/bin
> mount --bind /jail/old_root/usr /jail/usr
> mount --bind /jail/old_root/lib /jail/lib
> mount --bind /jail / # does nothing?
> umount2("/old_root", MNT_DETACH); # never happens.
> exec("bin/sh");
>
> When bin/sh runs, I can still see old_root from /jail and the bind of
> /jail over / seems to have not done anything.
>
> Is it possible to create such a jail with bind mounts? Is there a
> recommended method for doing so? Thank you for your time.
>
> --
> Michael Leibowitz
> Software Engineer, UMG
> Intel Corporation
> michael.leibowitz at intel.com
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
If I understand correctly, the following should accomplish what I'm
looking for. However, pivot_root gives me EBUSY. I played around with
moving the mount --bind /jail /jail to before the unshared, as well as
making old_root a bind mount to itself. However, pivot_root always
seems to fail. Is there something obvious that I'm doing wrong? The
following is my test code (error checking has been removed for clarity,
except for pivot_root).
char *newargv[]= { "sh", NULL };
chdir("/jail");
unshare(CLONE_NEWNS));
mount("/jail", "/jail", NULL, MS_BIND, NULL));
mount("/bin", "bin", NULL, MS_BIND, NULL));
mount("/usr", "usr", NULL, MS_BIND, NULL));
mount("/lib", "lib", NULL, MS_BIND, NULL));
if (pivot_root(".", "old_root")) perror("pivot_root . old_root");
exec("./bash-static"); /* copied to /jail prior to running */
Thanks.
>Serge replies:
[snip...snip]
>Try a few more things. Since you had entered /jail, you can view '/'
by
>looking at .. . But if you look at /, you dereference your
>task->fsroot. You never changed that, so it points to the original
>mount. If however you 'ls ..', you should see your 'jail' directory.
>However it won't have the /bin and /lib mounted because you didn't
> mount --rbind /jail /
>What you really want to do is
> mount --bind /jail /jail
>to make sure it's a mountpoint, then set up the new /jail using bind
>mounts like you're doing (and likely some rbinds in some places), then
>use pivot_root() to change your root. Then umount2("/old_root",
>MNT_DETACH).
>
>-serge
--
Michael Leibowitz
Software Engineer, UMG
Intel Corporation
michael.leibowitz at intel.com
Leibowitz, Michael <[email protected]> wrote:
> If I understand correctly, the following should accomplish what I'm
> looking for. However, pivot_root gives me EBUSY. I played around with
> moving the mount --bind /jail /jail to before the unshared, as well as
> making old_root a bind mount to itself. However, pivot_root always
> seems to fail. Is there something obvious that I'm doing wrong? The
> following is my test code (error checking has been removed for clarity,
> except for pivot_root).
>
> char *newargv[]= { "sh", NULL };
>
> chdir("/jail");
> unshare(CLONE_NEWNS));
> mount("/jail", "/jail", NULL, MS_BIND, NULL));
> mount("/bin", "bin", NULL, MS_BIND, NULL));
> mount("/usr", "usr", NULL, MS_BIND, NULL));
> mount("/lib", "lib", NULL, MS_BIND, NULL));
> if (pivot_root(".", "old_root")) perror("pivot_root . old_root");
> exec("./bash-static"); /* copied to /jail prior to running */
This works for me:
#include <sys/mount.h>
#include <unistd.h>
#define _GNU_SOURCE
#include <sched.h>
#define MNT_DETACH 2 /* Detach from tree only */
int main()
{
unshare(CLONE_NEWNS);
mount("jail", "jail", NULL, MS_BIND, NULL);
mount("/bin", "jail/bin", NULL, MS_BIND, NULL);
mount("/usr", "jail/usr", NULL, MS_BIND, NULL);
mount("/lib", "jail/lib", NULL, MS_BIND, NULL);
/* abuse bin as the temporary old root directory */
if (pivot_root("jail", "jail/bin"))
perror("pivot_root");
chdir("/");
umount2("bin", MNT_DETACH);
execl("./sash", NULL); /* copied to /jail prior to running */
}
Quoting Leibowitz, Michael ([email protected]):
> If I understand correctly, the following should accomplish what I'm
> looking for. However, pivot_root gives me EBUSY. I played around with
> moving the mount --bind /jail /jail to before the unshared, as well as
> making old_root a bind mount to itself. However, pivot_root always
> seems to fail. Is there something obvious that I'm doing wrong? The
Yes, you
cd /jail
mount --bind /jail /jail
pivot_root . old_root
but . is now mounted over.
-serge
> following is my test code (error checking has been removed for clarity,
> except for pivot_root).
>
> char *newargv[]= { "sh", NULL };
>
> chdir("/jail");
> unshare(CLONE_NEWNS));
> mount("/jail", "/jail", NULL, MS_BIND, NULL));
> mount("/bin", "bin", NULL, MS_BIND, NULL));
> mount("/usr", "usr", NULL, MS_BIND, NULL));
> mount("/lib", "lib", NULL, MS_BIND, NULL));
> if (pivot_root(".", "old_root")) perror("pivot_root . old_root");
> exec("./bash-static"); /* copied to /jail prior to running */
>
> Thanks.
>
> >Serge replies:
> [snip...snip]
> >Try a few more things. Since you had entered /jail, you can view '/'
> by
> >looking at .. . But if you look at /, you dereference your
> >task->fsroot. You never changed that, so it points to the original
> >mount. If however you 'ls ..', you should see your 'jail' directory.
> >However it won't have the /bin and /lib mounted because you didn't
> > mount --rbind /jail /
> >What you really want to do is
> > mount --bind /jail /jail
> >to make sure it's a mountpoint, then set up the new /jail using bind
> >mounts like you're doing (and likely some rbinds in some places), then
> >use pivot_root() to change your root. Then umount2("/old_root",
> >MNT_DETACH).
> >
> >-serge
>
> --
> Michael Leibowitz
> Software Engineer, UMG
> Intel Corporation
> michael.leibowitz at intel.com
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
I'm not 100% sure if this is what you meant, but I did get the following
to work:
chdir("/jail");
unshare(CLONE_NEWNS);
mount("/jail", "/jail", NULL, MS_BIND, NULL);
pivot_root("/jail", "/jail/old_root");
chdir("/");
mount("/old_root/bin", "bin", NULL, MS_BIND, NULL);
mount("/old_root/usr", "usr", NULL, MS_BIND, NULL);
mount("/old_root/lib", "lib", NULL, MS_BIND, NULL);
umount2("/old_root", MNT_DETACH);
exec("/busybox");
Thanks for the help.
On Tue, 2008-03-04 at 15:45 -0600, [email protected] wrote:
> Quoting Leibowitz, Michael ([email protected]):
> Yes, you
> cd /jail
> mount --bind /jail /jail
> pivot_root . old_root
>
> but . is now mounted over.
> > char *newargv[]= { "sh", NULL };
> >
> > chdir("/jail");
> > unshare(CLONE_NEWNS));
> > mount("/jail", "/jail", NULL, MS_BIND, NULL));
> > mount("/bin", "bin", NULL, MS_BIND, NULL));
> > mount("/usr", "usr", NULL, MS_BIND, NULL));
> > mount("/lib", "lib", NULL, MS_BIND, NULL));
> > if (pivot_root(".", "old_root")) perror("pivot_root . old_root");
> > exec("./bash-static"); /* copied to /jail prior to running */
--
Michael Leibowitz <[email protected]>