Date: Mon, 15 Aug 2016 21:27:56 +0100 From: Steve O'Hara-Smith <steve@sohara.org> To: freebsd-questions@freebsd.org Subject: Re: isolation of GO lang application (jail and chroot) Message-ID: <20160815212756.c5d2b50a5ed5482c544b1ab8@sohara.org> In-Reply-To: <CAFLLzCNm4uQS9gPeX32xaZqB%2BfEyhtF3tpf7hsyhm0%2B%2BY7yV5Q@mail.gmail.com> References: <CAFLLzCNm4uQS9gPeX32xaZqB%2BfEyhtF3tpf7hsyhm0%2B%2BY7yV5Q@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 15 Aug 2016 11:58:44 -0700 Sergei G <sergeig.public@gmail.com> wrote: > Can I jail just a single process without setting up a copy of operating > system? That's what ideally I would like to do. Yes you can do this, all you need to do is to make sure that you have everything the application needs inside the jail - shared libraries, configuration files, workspace etc. The set the exec_start for the jail to the program you want to run. I usually do this by installing the application in the host and then copying the essentials into the jail. IME this usually involves a few false starts as you find things missing that are needed in the jail but once past those it just works(tm), so don't uninstall from the host until the jail is working. The next fiddly part comes when you need to upgrade the jailed application, the safest way is to start from scratch in a fresh jail and cut over the IP address when it works. You probably need to abandon qjail and set the jail up by hand to do this. The payoff comes in security, if someone manages to compromise the application there's nothing else in the jail for them to play with. -- Steve O'Hara-Smith <steve@sohara.org>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160815212756.c5d2b50a5ed5482c544b1ab8>