From owner-freebsd-hackers@FreeBSD.ORG  Tue Jul 23 23:44:19 2013
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id D8B5638B
 for <hackers@freebsd.org>; Tue, 23 Jul 2013 23:44:19 +0000 (UTC)
 (envelope-from yuri@rawbw.com)
Received: from www.rawbandwidth.com (www.rawbandwidth.com [198.144.193.1])
 by mx1.freebsd.org (Postfix) with ESMTP id 9FD7A2CDD
 for <hackers@freebsd.org>; Tue, 23 Jul 2013 23:44:19 +0000 (UTC)
Received: from eagle.yuri.org (stunnel@localhost [127.0.0.1])
 (authenticated bits=0)
 by www.rawbandwidth.com (8.14.4/8.14.4) with ESMTP id r6NNiIgE015494;
 Tue, 23 Jul 2013 16:44:19 -0700 (PDT) (envelope-from yuri@rawbw.com)
Message-ID: <51EF1552.4050003@rawbw.com>
Date: Tue, 23 Jul 2013 16:44:18 -0700
From: Yuri <yuri@rawbw.com>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:17.0) Gecko/20130628 Thunderbird/17.0.7
MIME-Version: 1.0
To: Mateusz Guzik <mjguzik@gmail.com>
Subject: Re: Should process run under chroot(8) still see mounts on the
 original system?
References: <51EF0EEE.8030000@rawbw.com> <20130723233102.GA19249@dft-labs.eu>
In-Reply-To: <20130723233102.GA19249@dft-labs.eu>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: FreeBSD Hackers <hackers@freebsd.org>
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jul 2013 23:44:19 -0000

On 07/23/2013 16:31, Mateusz Guzik wrote:
> Of course then you may have some unnecessary separation but that I
> believe can be simply worked out if it turns out to be problematic.


jail would completely separate two systems. In my case this app also 
communicates through files that it creates and host app reads through 
symbolic links. It might also be assuming that it runs on the same host 
and maybe is unable to connect to X server other than through the shared 
memory.

Such functionality can be made optional through some sysctl variable.

Yuri