From nobody Fri Aug  1 14:17:45 2025
X-Original-To: hackers@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4btp2P1HNPz63wTp
	for <hackers@mlmmj.nyi.freebsd.org>; Fri, 01 Aug 2025 14:18:05 +0000 (UTC)
	(envelope-from tomek@cedro.info)
Received: from mail-yw1-x1132.google.com (mail-yw1-x1132.google.com [IPv6:2607:f8b0:4864:20::1132])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "WR4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4btp2N4dxNz3lFD
	for <hackers@freebsd.org>; Fri, 01 Aug 2025 14:18:04 +0000 (UTC)
	(envelope-from tomek@cedro.info)
Authentication-Results: mx1.freebsd.org;
	none
Received: by mail-yw1-x1132.google.com with SMTP id 00721157ae682-71b49a8adb2so16622307b3.1
        for <hackers@freebsd.org>; Fri, 01 Aug 2025 07:18:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=cedro.info; s=google; t=1754057879; x=1754662679; darn=freebsd.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=0sEXRWcSK+/FAsLRw2mQwXE65Jy0WcSgrLFjocYUl5A=;
        b=P8EuGhC3kcOEKCY8ri7lr054ezlshzBu2gYn7YsNgBP0fSx2h2QSVAENW/9hdD7Ry2
         Mle0Sdlhi6XoVY1K7/nfzKnMhSDheRkeh+YpzNV6GL6YxbjrCpYWS5PWQrJN1uOMu/Fn
         SARTCOBrfsu8SGfqnMiNRl+Gly4lITF2L9m156PhJupNkJgW2UnjA4earC91Y3GYgg7c
         8ZU2RcEW8SQexiRlPDn6fCiw9WDKFIIzDhUWwwJWs0R+sNeit0b9SFnnRzbd+C1neqFD
         Q23Fl0+QV1q8B/EQVgLh+rKqMdEhX46yEzl6VoHE4dqbTISf9H6x92ZzfGfnrRWub3KY
         tA2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1754057879; x=1754662679;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=0sEXRWcSK+/FAsLRw2mQwXE65Jy0WcSgrLFjocYUl5A=;
        b=kjVOch4QiZX8AMqUXSBrDEsqbDdt0AtEZiSkZYsVYc/qSi5M0PgkavZK54VKfDWoNY
         AdoOyyvr+LxGSTFR4WRs6On7B45Dkjf0hh/xSK56kPPHr75TZci0RmCXNK3ODfOxRTFr
         9jRFh50Mqd2lmxMa7CvnzcdKXgJcP9T56pn90anDGHNhP+Wryxa3e6RcAeBAJPif2dES
         ehK8Z79IMrYgitdXQuaSi3sNxO1cELIhPmB8rWd3qgCRwRsx0VdmvSCeqpzc8SzaPCjI
         G6i7Y7MzqkX/5+O0CWt4XEiblfFVCj/N86ZEo9vGRTkKsyyYNunZ7kfdSJls21aQx5UD
         2g8w==
X-Gm-Message-State: AOJu0YyJ9itBy7prXS9kUw8ZICyYwyQMxwCt2WmVc6eXWqAKsG+4tIA1
	j3PZitqEyOhv+q02zfB4ukgPClBjzk1mxQ7MEfuLaCZUvIrEX4iwDd3laePReLX7z5Ag/LxSPZt
	cpUc=
X-Gm-Gg: ASbGnctE/VU/bAEFDtjfKQb2lxJlJ4QN8WOeRloTGJ1DoThXH7Hab+7h8AMj4OXxbAc
	5bHElTRq5wIhBAZHpPlb9DcUNcFdf1mHv/5m6GicPJXPtMndS10RxG/b2/S29g1r5p2s8WbYX9/
	LHm96Z0SAcyp0TD7vvbS/Z+bp8t4btsKUrZ1YWfaZDU2hV/KVNRf1lBpR0SE4L3xPce10kB865x
	B4ea2hXUUMKrLnyfieiqaa2oUazYnm5uu766uYsmovtWePB156Zncis06AINfVycwnJPFm3Vw2z
	+K6ausJunfTguIJaJGL4UfKzPtktstmfO35RZ3Ns4HV4kDgtnkk9RdYPKCxShs6WCOvn5YU1xa+
	uYEqEZ8t9dxqr0W79+4pVsEnPiaIqr4YDAGNSmIRJ10dWXiVrPdI3y4Xf2VgUDqEa7l6AZA==
X-Google-Smtp-Source: AGHT+IElt/bwfaTN9rEH2DEyzga2KkJnVnB6vFM3/4dV9Sm89TC/gFlbm2fM+e5/H7PJojOz8Qe5vQ==
X-Received: by 2002:a05:690c:7446:b0:714:3e9:dd3 with SMTP id 00721157ae682-71a4652c0a0mr165809197b3.6.1754057878628;
        Fri, 01 Aug 2025 07:17:58 -0700 (PDT)
Received: from mail-yw1-f177.google.com (mail-yw1-f177.google.com. [209.85.128.177])
        by smtp.gmail.com with ESMTPSA id 00721157ae682-71b5a3a9105sm10621967b3.7.2025.08.01.07.17.57
        for <hackers@freebsd.org>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Fri, 01 Aug 2025 07:17:57 -0700 (PDT)
Received: by mail-yw1-f177.google.com with SMTP id 00721157ae682-70a57a8ffc3so17612917b3.0
        for <hackers@freebsd.org>; Fri, 01 Aug 2025 07:17:57 -0700 (PDT)
X-Received: by 2002:a05:690c:6e04:b0:712:d54e:2209 with SMTP id
 00721157ae682-71a46574fe7mr154441627b3.14.1754057877561; Fri, 01 Aug 2025
 07:17:57 -0700 (PDT)
List-Id: Technical discussions relating to FreeBSD <freebsd-hackers.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-hackers
List-Help: <mailto:freebsd-hackers+help@freebsd.org>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Subscribe: <mailto:freebsd-hackers+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-hackers+unsubscribe@freebsd.org>
Sender: owner-freebsd-hackers@FreeBSD.org
MIME-Version: 1.0
References: <aa1950e6-46d0-44ed-8487-df45bad8b3c8@gmail.com>
In-Reply-To: <aa1950e6-46d0-44ed-8487-df45bad8b3c8@gmail.com>
From: Tomek CEDRO <tomek@cedro.info>
Date: Fri, 1 Aug 2025 16:17:45 +0200
X-Gmail-Original-Message-ID: <CAFYkXjk0tmuvayL=5QszqyHCKOHO94aTf7nHLf0afVT7TQambA@mail.gmail.com>
X-Gm-Features: Ac12FXwV73hmsB8Xl-ZFkyHpl7erGBhbgYIQVISSyIiUqUyMTQO5aMlxKh6-4Y0
Message-ID: <CAFYkXjk0tmuvayL=5QszqyHCKOHO94aTf7nHLf0afVT7TQambA@mail.gmail.com>
Subject: Re: Non-root chroot
To: Jason Bacon <bacon4000@gmail.com>
Cc: freebsd-hackers <hackers@freebsd.org>
Content-Type: multipart/alternative; boundary="000000000000b52b72063b4e6cbf"
X-Rspamd-Queue-Id: 4btp2N4dxNz3lFD
X-Spamd-Bar: ----
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]

--000000000000b52b72063b4e6cbf
Content-Type: text/plain; charset="UTF-8"

There is a sysctl to enable user level chroot if you know what you are
doing that works for me (i.e. launch tmux + compiler within custom debian
linuxlator instance or launch 3d slicer linux binary), you can find this
with `sysctl -a | grep chroot` (not at the comp right now sorry). You will
also probably need to enable additional sysctl for network access (its
chroot but jails machanism) when needed (and local firewall when
applicable).

This is good option if you yourself want to test by hand something you
know, but its not secure. Jails will give you better security (i.e.
processing external data, exposing interfaces, etc).

--
CeDeROM, SQ7MHZ, http://www.tomek.cedro.info

--000000000000b52b72063b4e6cbf
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"auto"><div>There is a sysctl to enable user level chroot if you=
 know what you are doing that works for me (i.e. launch tmux + compiler wit=
hin custom debian linuxlator instance or launch 3d slicer linux binary), yo=
u can find this with `sysctl -a | grep chroot` (not at the comp right now s=
orry). You will also probably need to enable additional sysctl for network =
access (its chroot but jails machanism) when needed (and local firewall whe=
n applicable).</div><div dir=3D"auto"><br></div><div dir=3D"auto">This is g=
ood option if you yourself want to test by hand something you know, but its=
 not secure. Jails will give you better security (i.e. processing external =
data, exposing interfaces, etc).</div><div><br></div><div data-smartmail=3D=
"gmail_signature">--<br>CeDeROM, SQ7MHZ, <a href=3D"http://www.tomek.cedro.=
info" target=3D"_blank" rel=3D"noreferrer">http://www.tomek.cedro.info</a><=
/div></div>

--000000000000b52b72063b4e6cbf--