Re: procfs and chroot() ... ?

[viro]

On Tue, Sep 14, 2004 at 03:30:29AM +0200, Jochen Bern wrote:
> I'm trying to chroot() a server that needs to read one readonly pseudo 
> file from /proc . I tried to pinpoint my options to do so ...
> 
> -- The alternative to accessing this one pseudo file would be to grant
>    the server access to /dev/kmem ... NOT ... ANY ... BETTER!! 8-}
> -- Mounting two procfs instances (one normal, one inside the chroot())
>    and setting restrictive permissions on the latter makes identical
>    changes to the former. (I assume that'ld be the same for ACLs?)
> -- Deploying SELinux ... will have to do a good deal of reading to
>    even find out what'ld be involved in that ...
> -- Mounting a "second" procfs, chroot()ing into the exact subdir the
>    file is in, and mounting non-procfs stuff (like the etc dir with the
>    configs) *over* the sub-subdirs (ARGH!) would *happen* to rid me of
>    all *writable* pseudo files, but still provide read access to way
>    more info that I'ld want to provide to the server ...
> (- I'll try to Use The Source (tm) so that the server will not close the
>    pseudo file, and does the chroot() itself after opening it, but let's
>    assume for the sake of the argument that I won't succeed in that.)

Egads...

mount --bind /proc/whatever/the/fsck/you/want \
	/home/jail/wherever/the/fsck/you/want/to/see/it

(assuming that jail is in /home/jail and "mountpoint" exists).
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/