Date: Wed, 18 Jun 2008 15:02:35 -0600 From: James Gritton <jamie@gritton.org> To: freebsd-virtualization@freebsd.org Subject: Re: V_* meta-symbols and locking Message-ID: <485977EB.90504@gritton.org> In-Reply-To: <200806182156.37998.zec@icir.org> References: <48588595.7020709@gritton.org> <200806182140.23123.zec@icir.org> <4859661E.9070502@gritton.org> <200806182156.37998.zec@icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Marko Zec wrote: >>> The only thing I'd like to have >>> as an option is to be able to spawn a new process in the target VM >>> _without_ making it chrooted... >> >> If you mean creating a jail that's not chrooted, that's no problem. >> If you mean creating a jail that *is* chrooted, and then placing a >> process into that jail without chrooting it, that would be a breakage >> of the jail paradigm. Hopefully you mean the former? > > No, I want the later, as an option. Given that the parent environment / > jail completely controls the child anyhow, I don't think such an > (optional) behavior would be too big a security issue. One thing you could do is keep a file descriptor open to the real root directory, and call jail_attach(). As long as the system is in its default state of chroot_allow_open_directories == 1, you can then fchdir() or openat() from the saved descriptor. That could easily be made an option to jexec(8). - Jamie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?485977EB.90504>