[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: chroot add option to mount /dev /proc /sys for you?
|
From: |
Assaf Gordon |
|
Subject: |
Re: chroot add option to mount /dev /proc /sys for you? |
|
Date: |
Tue, 17 Apr 2018 01:39:23 -0600 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 |
Hello Marc,
On 17/04/18 12:23 AM, Bernhard Voelker wrote:
On 04/15/2018 12:46 AM, Marc Weber wrote:
chrooting has always been a mess for me because in order for software to
work you need to bind mount /dev /proc /sys usually.
Then when something crashes your you quit chroot -> a mess again.
This was already discussed at:
https://lists.gnu.org/r/coreutils/2017-09/msg00013.html
In addition to the suggestion from the above thread (use a script),
since you are already using linux-specific commands you might want
to consider using unshare(1) from util-linux which will create a
separate mount-namespace.
Example, if you have the chroot directories:
/tmp/chroot/bin
/tmp/chroot/proc
/tmp/chroot/sys
/tmp/chroot/dev
And have the minimal shell static binary:
/tmp/chroot/bin/sh
You could do the following:
sudo unshare --mount \
sh -c "mount -t proc none /tmp/chroot/proc ; \
mount -t sysfs none /tmp/chroot/sys ; \
mount -o bind /dev /tmp/chroot/dev ; \
exec chroot /tmp/chroot /bin/sh"
First, these mounts will not appear on your main system.
Second, these mounts will disappear once /bin/sh terminates.
---
For an even more advanced/complicated sandboxing solutions, programs
like BubbleWrap ( https://github.com/projectatomic/bubblewrap ) take
full advantage of linux namespaces (~containers) and allow you to easily
specify many types of mounts and isolations.
Hope this helps,
- Assaf