tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: simple chroot environment rc.d script

you're going to use null mounts.  The most obvious issue is that a
full copy of /dev is provided to the application, when what you really

Well actually, it only creates the standards devices (MAKEDEV std), not
a full copy:

constty  klog  ksyms  null    stdin   tty
console  drum     kmem  mem    stderr  stdout  zero

But I probbaly don't need all of these, null, zero and random should be

want to do is ensure the application has only the device nodes it
needs, on a read-only filesystem, and everything else accessible to
it mounted "nodev".

Only the needed directories are mounted as r/w, everything in ro_fses
(the null-mounted directories) is mounted as read-only.
Anyway I still agree with you, there's plenty of room for improvement,
I'll add some more restrictions to the r/w directories.

Thanks for the feedback!

Emile "iMil" Heitor .°. <imil@{,,}>
              |        | ASCII ribbon campaign ( )
              |  |  - against HTML email  X
              |        |              & vCards / \

Home | Main Index | Thread Index | Old Index