Hello Marc,
On 17/04/18 12:23 AM, Bernhard Voelker wrote:
On 04/15/2018 12:46 AM, Marc Weber wrote:
chrooting has always been a mess for me because in order for software to
work you need to bind mount /dev /proc /sys usually.
Then when something crashes your you quit chroot -> a mess again.
This was already discussed at:
https://lists.gnu.org/r/coreutils/2017-09/msg00013.html
In addition to the suggestion from the above thread (use a script),
since you are already using linux-specific commands you might want
to consider using unshare(1) from util-linux which will create a
separate mount-namespace.
Example, if you have the chroot directories:
/tmp/chroot/bin
/tmp/chroot/proc
/tmp/chroot/sys
/tmp/chroot/dev
And have the minimal shell static binary:
/tmp/chroot/bin/sh
You could do the following:
sudo unshare --mount \
sh -c "mount -t proc none /tmp/chroot/proc ; \
mount -t sysfs none /tmp/chroot/sys ; \
mount -o bind /dev /tmp/chroot/dev ; \
exec chroot /tmp/chroot /bin/sh"
First, these mounts will not appear on your main system.
Second, these mounts will disappear once /bin/sh terminates.
---
For an even more advanced/complicated sandboxing solutions, programs
like BubbleWrap ( https://github.com/projectatomic/bubblewrap ) take
full advantage of linux namespaces (~containers) and allow you to easily
specify many types of mounts and isolations.
Hope this helps,
- Assaf
