Minimal devices in a jail
Dewayne Geraghty
dewayne.geraghty at heuristicsystems.com.au
Fri Jan 19 03:16:53 UTC 2018
While attempting to find a functional jail with the smallest number of
devices, I was surprised that a jail with only
jail3# ls /dev/
crypto null random urandom zero
was actually functional. (I expected it to require /dev/{stdin, stdout,
stderr, fs*}
>From the base system, I start "jexec jail3 tcsh", and when that started,
jail3# fstat
USER CMD PID FD MOUNT INUM MODE SZ|DV R/W
root fstat 40606 text /bj 12241168 -r-xr-xr-x 18360 r
root fstat 40606 ctty /bj 235 crw--w---- pts/4 rw
root fstat 40606 wd / 7384356 drwxr-xr-x 1024 r
root fstat 40606 root / 7384356 drwxr-xr-x 1024 r
root fstat 40606 jail / 7384356 drwxr-xr-x 1024 r
root fstat 40606 0 / 235 crw--w---- pts/4 rw
root fstat 40606 1 / 235 crw--w---- pts/4 rw
root fstat 40606 2 / 235 crw--w---- pts/4 rw
root fstat 40606 3 / 7389794 -rw------- 40960 r
sh ...
tcsh...
So after some further testing it appears to use std{in,out,err},
multiple filedescriptors and well, functional.
Is something causing the jail to inherit std{in,out,err} functionality.
If there is, are there others? And the pts device seems to be inherited
from the parent/base jail, even though there is no /dev/pts in the jail?
This is on FreeBSD 11.1-STABLE r327954M amd64 1101506 1101506 with
/etc/jail.conf entry reads:
b6 { persist; ip4.addr = "10.0.7.96,10.0.5.126"; devfs_ruleset = "4"; }
(My intent is for a teeny jail to start, run a script (PKI key
generation stuff) then terminate and yes the base system only: starts
jails & runs ntp in a chroot).
Kind regards, Dewayne.
More information about the freebsd-jail
mailing list