From owner-freebsd-hackers@FreeBSD.ORG Wed Jul 24 00:19:10 2013 Return-Path: Delivered-To: hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 94D19F0 for ; Wed, 24 Jul 2013 00:19:10 +0000 (UTC) (envelope-from mjguzik@gmail.com) Received: from mail-wg0-x22a.google.com (mail-wg0-x22a.google.com [IPv6:2a00:1450:400c:c00::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 2C8F72E6E for ; Wed, 24 Jul 2013 00:19:10 +0000 (UTC) Received: by mail-wg0-f42.google.com with SMTP id j13so2352202wgh.3 for ; Tue, 23 Jul 2013 17:19:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=R006wjweS+okH1ocpPMz4qaRqaRtMxtekXDhbyQJY5Y=; b=xrSyaC8j1WH6iEqtL3X65sQ59kmIxw7q5IKYJyydZLb9UuP4Ek1shJebq6iOrf6hOe IBoYXTCKOhi10WYUMlBaOC6HqegWxppzltfhinQYhTEiytr6mieRUE7tCtXuqn9/m5WO dyOerx4lLgey9yTekJtytRp9+yZYvbj3s0a1SujR5KFcGZrtpgVqf0Y9isXC6LuK9IpU XVLUBgTLqcGs257/OAUlFJqEWsbVxkqAOzO/bWNEfClVkLf7jp6FHnDZJV6XdMgnxQiS TWTEWRyV3syMKvBTl1UIuJRyomShPhxc8NWyOuAMR9d9yONkQ2HQiDOMYrjHPUkZvflb UzZg== X-Received: by 10.194.63.46 with SMTP id d14mr25319413wjs.81.1374625148574; Tue, 23 Jul 2013 17:19:08 -0700 (PDT) Received: from dft-labs.eu (n1x0n-1-pt.tunnel.tserv5.lon1.ipv6.he.net. [2001:470:1f08:1f7::2]) by mx.google.com with ESMTPSA id x2sm1805527wif.3.2013.07.23.17.19.06 for (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Tue, 23 Jul 2013 17:19:07 -0700 (PDT) Date: Wed, 24 Jul 2013 02:19:04 +0200 From: Mateusz Guzik To: Yuri Subject: Re: Should process run under chroot(8) still see mounts on the original system? Message-ID: <20130724001904.GB19249@dft-labs.eu> References: <51EF0EEE.8030000@rawbw.com> <20130723233102.GA19249@dft-labs.eu> <51EF1552.4050003@rawbw.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <51EF1552.4050003@rawbw.com> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: FreeBSD Hackers X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jul 2013 00:19:10 -0000 On Tue, Jul 23, 2013 at 04:44:18PM -0700, Yuri wrote: > On 07/23/2013 16:31, Mateusz Guzik wrote: > >Of course then you may have some unnecessary separation but that I > >believe can be simply worked out if it turns out to be problematic. > > > jail would completely separate two systems. In my case this app also > communicates through files that it creates and host app reads > through symbolic links. It might also be assuming that it runs on > the same host and maybe is unable to connect to X server other than > through the shared memory. > 1. fs level cooperation is not going to be affected in any way. for all practical purposes you can assume fs-wise jail is a chroot with ".." escape disabled 2. typically local applications connect to X server over unix socket, i.e. something you would have to expose in the jail anyway (by e.g. mount -t nullfs /tmp /path/to/jail/tmp) Of course I can be wrong here, but looks like jail is a drop-in replacement here. -- Mateusz Guzik