Re: CLONE_NEWNS and bind mounts to make "chroot" jail

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Leibowitz, Michael

Subject: Re: CLONE_NEWNS and bind mounts to make "chroot" jail

Date: Tuesday, March 4, 2008 - 11:23 pm

I'm not 100% sure if this is what you meant, but I did get the following
to work:=20

chdir("/jail");=20
unshare(CLONE_NEWNS);
mount("/jail", "/jail", NULL, MS_BIND, NULL);
pivot_root("/jail", "/jail/old_root");
chdir("/");
mount("/old_root/bin", "bin", NULL, MS_BIND, NULL);
mount("/old_root/usr", "usr", NULL, MS_BIND, NULL);
mount("/old_root/lib", "lib", NULL, MS_BIND, NULL);
umount2("/old_root", MNT_DETACH);
exec("/busybox");

Thanks for the help. =20

On Tue, 2008-03-04 at 15:45 -0600, serge@hallyn.com wrote:
quoted text> Quoting Leibowitz, Michael (michael.leibowitz@intel.com):
> Yes, you
> 	cd /jail
> 	mount --bind /jail /jail
> 	pivot_root . old_root
>=20
> but . is now mounted over.
> >   char *newargv[]=3D { "sh", NULL };
> >=20
> >   chdir("/jail");
> >   unshare(CLONE_NEWNS));
> >   mount("/jail", "/jail", NULL, MS_BIND, NULL));
> >   mount("/bin", "bin", NULL, MS_BIND, NULL));
> >   mount("/usr", "usr", NULL, MS_BIND, NULL));
> >   mount("/lib", "lib", NULL, MS_BIND, NULL));
> >   if (pivot_root(".", "old_root")) perror("pivot_root . old_root");
> >   exec("./bash-static"); /* copied to /jail prior to running */

--=20
Michael Leibowitz <michael.leibowitz@intel.com>

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

CLONE_NEWNS and bind mounts to make "chroot" jail, Leibowitz, Michael, (Sat Mar 1, 10:05 am)

Re: CLONE_NEWNS and bind mounts to make "chroot" jail, serge, (Sat Mar 1, 7:26 pm)

RE: CLONE_NEWNS and bind mounts to make "chroot" jail, Leibowitz, Michael, (Sun Mar 2, 11:56 pm)

Re: CLONE_NEWNS and bind mounts to make "chroot" jail, serge, (Tue Mar 4, 2:45 pm)

Re: CLONE_NEWNS and bind mounts to make "chroot" jail, Leibowitz, Michael, (Tue Mar 4, 11:23 pm)


linux-kernel:
Rafael J. Wysocki	[Bug #16136] Linux 2.6.34 causes system lockup on Compaq Presario 2200 Laptop
Joerg Roedel	Re: [patch] dma-debug: off by one issue
Tetsuo Handa	Re: [AppArmor #7 0/13] AppArmor security module
Pekka Enberg	Re: BUG in free_block (tainted)
Jakub Narebski	Re: [PATCH] gitweb: Fix shortlog only showing HEAD revision.
git:
Christian Stimming	git-gui: Fix broken revert confirmation.
Johannes Schindelin	Re: [PATCH 2/2] git-svn: support fetch with autocrlf on
Mark Burton	Re: [PATCH] builtin-branch: highlight current remote branches with an asterisk
Junio C Hamano	Re: git-svnimport
Junio C Hamano	Re: [PATCH 6/6] Teach core object handling functions about gitlinks
linux-netdev:
Nick Piggin	Re: Kernel WARNING: at net/core/dev.c:1330 __netif_schedule+0x2c/0x98()
Daniel Lezcano	getsockopt(TCP_DEFER_ACCEPT) value change
David Miller	Re: 2.6.27.18: bnx2/tg3: BUG: "scheduling while atomic" trying to ifenslave a seco...
Amit Kumar Salecha	[PATCH NEXT 10/10] qlcnic: add cksum flag
Patrick McHardy	Re: [PATCH RESEND 1/3] netfilter: xtables: inclusion of xt_condition
git-commits-head:
Linux Kernel Mailing List	ath9k_htc: Allocate URBs properly
Linux Kernel Mailing List	ath9k: Added get_survey callback in order to get channel noise
Linux Kernel Mailing List	ALSA: snd-usb-caiaq: Do not expose hardware input mode 0 of A4DJ
Linux Kernel Mailing List	cpumask: make irq_set_affinity() take a const struct cpumask
Linux Kernel Mailing List	V4L/DVB (9041): Add support YUAN High-Tech STK7700D (1164:1f08)
openbsd-misc:
Conor	Re: RFID Reader
Josh Grosse	ssh/sshd challenge-response seems to have stopped working in -current
Stuart Henderson	Re: SquidGuard problem
Henning Brauer	Re: 3ware hardware raid support?
Ryan McBride	Re: Packets Per Second Limit?