From owner-freebsd-questions@freebsd.org  Mon Aug 15 20:44:50 2016
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0DF87BBA7D8
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Mon, 15 Aug 2016 20:44:50 +0000 (UTC)
 (envelope-from steve@sohara.org)
Received: from smtp1.irishbroadband.ie (smtp1.irishbroadband.ie [62.231.32.12])
 (using TLSv1 with cipher AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id CE693134F
 for <freebsd-questions@freebsd.org>; Mon, 15 Aug 2016 20:44:49 +0000 (UTC)
 (envelope-from steve@sohara.org)
Received: from [89.127.62.20] (helo=smtp.lan.sohara.org)
 by smtp1.irishbroadband.ie with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.76) (envelope-from <steve@sohara.org>) id 1bZOUH-0006LR-BF
 for freebsd-questions@freebsd.org; Mon, 15 Aug 2016 21:27:57 +0100
Received: from [192.168.63.1] (helo=steve.lan.sohara.org)
 by smtp.lan.sohara.org with smtp (Exim 4.86_2 (FreeBSD))
 (envelope-from <steve@sohara.org>) id 1bZOUb-0007yp-Sw
 for freebsd-questions@freebsd.org; Mon, 15 Aug 2016 20:28:17 +0000
Date: Mon, 15 Aug 2016 21:27:56 +0100
From: Steve O'Hara-Smith <steve@sohara.org>
To: freebsd-questions@freebsd.org
Subject: Re: isolation of GO lang application (jail and chroot)
Message-Id: <20160815212756.c5d2b50a5ed5482c544b1ab8@sohara.org>
In-Reply-To: <CAFLLzCNm4uQS9gPeX32xaZqB+fEyhtF3tpf7hsyhm0++Y7yV5Q@mail.gmail.com>
References: <CAFLLzCNm4uQS9gPeX32xaZqB+fEyhtF3tpf7hsyhm0++Y7yV5Q@mail.gmail.com>
X-Mailer: Sylpheed 3.5.0 (GTK+ 2.24.29; amd64-portbld-freebsd10.1)
X-Clacks-Overhead: "GNU Terry Pratchett"
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Aug 2016 20:44:50 -0000

On Mon, 15 Aug 2016 11:58:44 -0700
Sergei G <sergeig.public@gmail.com> wrote:

> Can I jail just a single process without setting up a copy of operating
> system?  That's what ideally I would like to do.

	Yes you can do this, all you need to do is to make sure that you
have everything the application needs inside the jail - shared libraries,
configuration files, workspace etc. The set the exec_start for the jail to
the program you want to run. I usually do this by installing the
application in the host and then copying the essentials into the jail. IME
this usually involves a few false starts as you find things missing that
are needed in the jail but once past those it just works(tm), so don't
uninstall from the host until the jail is working.

	The next fiddly part comes when you need to upgrade the jailed
application, the safest way is to start from scratch in a fresh jail and
cut over the IP address when it works.

	You probably need to abandon qjail and set the jail up by hand to
do this. The payoff comes in security, if someone manages to compromise the
application there's nothing else in the jail for them to play with.

-- 
Steve O'Hara-Smith <steve@sohara.org>