A recent discussion about partitioning runtime env for security hardening transitioned from vm to chroot; when I realized pkgsrc infra could be used for a robust chroot jail management. A quick search indicated if this has been done before, it certainly is not commonplace.
Is anyone aware of tools designed to create chroot jails from pkgsrc package binaries?
It might be so simple there are no tools? Install binaries, chroot and run. This is straightforward, but could be wasteful of disk space if there are many jails. Another way could be to maintain a main administrative jail, with chroot and pkg_add, for each package any local jail might need. Then for jail creation, the tool would identify files for the requested packages and their dependencies from the main jail, and create hardlinks to the new job jail.
./jail/main/usr/pkg/...
./jail/job1/usr/pkg/...
./jail/job2/usr/pkg/...
The main jail administrative task would be handled by the tool too, so with a jail name and package list, the tool would insure the packages were installed in the main jail, then link the package and dependency files to the new jail, along with any needed base files; all as a jailer uid. Then user data is installed in the jail and the chroot job would be run as the user, with whatever ulimit, and the job prefix deleted when through.
Package updates could get messy, probably solved by moving main aside and recreating it when pkgsrc is updated. Also, would want to support multiple main or pkg release tag prefixes. SUID binaries should be prevented to avoid main and cross job corruption. This pkgsrc jailer tool could dovetail with a lightweight HPC scheduler?
I see package deps but no provided file list in pkgdb data, so I guess they should be read from the package tgz? While I don't have an immediate need for this tool, I might experiment with it soon, since it sounds fun and is so simple. Does anyone have any suggestions, gaps, or shortcomings I may have missed?
-George