Re: simple chroot environment rc.d script

To: Thor Lancelot Simon <tls%panix.com@localhost>
Subject: Re: simple chroot environment rc.d script
From: iMil <imil%home.imil.net@localhost>
Date: Thu, 23 Aug 2012 15:46:06 +0200 (CEST)

you're going to use null mounts.  The most obvious issue is that a
full copy of /dev is provided to the application, when what you really


Well actually, it only creates the standards devices (MAKEDEV std), not
a full copy:

constty  klog  ksyms  null    stdin   tty
console  drum     kmem  mem    stderr  stdout  zero

But I probbaly don't need all of these, null, zero and random should be
enough.

want to do is ensure the application has only the device nodes it
needs, on a read-only filesystem, and everything else accessible to
it mounted "nodev".


Only the needed directories are mounted as r/w, everything in ro_fses
(the null-mounted directories) is mounted as read-only.
Anyway I still agree with you, there's plenty of room for improvement,
I'll add some more restrictions to the r/w directories.

Thanks for the feedback!

------------------------------------------------------------------
Emile "iMil" Heitor .°. <imil@{home.imil.net,NetBSD.org,gcu.info}>
                                                                _
              | http://imil.net        | ASCII ribbon campaign ( )
              | http://www.NetBSD.org  |  - against HTML email  X
              | http://gcu.info        |              & vCards / \

Follow-Ups:
- Re: simple chroot environment rc.d script
  - From: Thor Lancelot Simon

References:
- simple chroot environment rc.d script
  - From: iMil
- Re: simple chroot environment rc.d script
  - From: Thor Lancelot Simon

Prev by Date: Re: simple chroot environment rc.d script
Next by Date: Re: ppp rcvar
Previous by Thread: Re: simple chroot environment rc.d script
Next by Thread: Re: simple chroot environment rc.d script
Indexes:

Home | Main Index | Thread Index | Old Index