Date: Wed, 24 Jul 2013 02:19:04 +0200 From: Mateusz Guzik <mjguzik@gmail.com> To: Yuri <yuri@rawbw.com> Cc: FreeBSD Hackers <hackers@freebsd.org> Subject: Re: Should process run under chroot(8) still see mounts on the original system? Message-ID: <20130724001904.GB19249@dft-labs.eu> In-Reply-To: <51EF1552.4050003@rawbw.com> References: <51EF0EEE.8030000@rawbw.com> <20130723233102.GA19249@dft-labs.eu> <51EF1552.4050003@rawbw.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jul 23, 2013 at 04:44:18PM -0700, Yuri wrote: > On 07/23/2013 16:31, Mateusz Guzik wrote: > >Of course then you may have some unnecessary separation but that I > >believe can be simply worked out if it turns out to be problematic. > > > jail would completely separate two systems. In my case this app also > communicates through files that it creates and host app reads > through symbolic links. It might also be assuming that it runs on > the same host and maybe is unable to connect to X server other than > through the shared memory. > 1. fs level cooperation is not going to be affected in any way. for all practical purposes you can assume fs-wise jail is a chroot with ".." escape disabled 2. typically local applications connect to X server over unix socket, i.e. something you would have to expose in the jail anyway (by e.g. mount -t nullfs /tmp /path/to/jail/tmp) Of course I can be wrong here, but looks like jail is a drop-in replacement here. -- Mateusz Guzik <mjguzik gmail.com>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130724001904.GB19249>