security implications: ptyfs + mount_null + chroot

[Dave B <spam%y2012.dberg.net@localhost>]

** The short version:

  What security implications are there of doing a "null" mount of
/dev/pts on to directory that will be used under a chroot'ed
environment?  How easily, if at all, could the resulting access to
ptys which might have been opened in the parent environment be a
vulnerability?

  In addition, how iron-clad is chroot now considered to be anyway?


** The longer version, if you care to read it:

  I'm using the sandbox feature under pkgsrc/mk/bulk to build
packages in a chroot'ed env (I'm aware of other ways to build
packages chroot'ed, but I prefer mksandbox because it's elegantly
simple).  I'm enjoying its side benefit that null-mounting the
parent userland dirs read-only in the sandbox reduces the damage to
the OS that, e.g., a trojan'ed Makefile.in buried in the package
distribution could do during builds.  I do realize I'm not
addressing the run-time trust issue of packages here.  Consider
that a separate thread for the moment.

  A small problem I'm having, though, is that since ptyfs is
unavailable in the sandbox, some programs don't work in the
sandbox.  My quick fix was to add /dev/pts to the list of
directories that get null-mounted; but it has to be read-write--
and therefore sets off warning-bells for me that doing so might
diminish the whole chroot/read-only win of using the sandbox.  Does
it?  Could it, say, offer an attacker in the chroot'ed environment
a previously-unavailable way to escape the jail?  Or is the
aforementioned chroot/read-only win actually less of a win than I
thought it was in the first place?

  Thanks in advance for your opinion on this.

Cheers,  --Dave
Boston, MA