device entries outside /proc with procfs (for chroot)

[Scot Hetzel]

On 9/19/05, Martin Cracauer <cracauer at cons.org> wrote:
> I noticed the creation of /dev/ entries outside of /dev doesn't work
> anymore.  This is needed for chroot environments, which rely on
> /dev/null on a regular basis.
> 
> I just created the appended message to freebsd-emulation but what I
> suggest doesn't work either.  It seems that even with the right major
> and minor device number we won't get a working /dev/null outside of
> /dev.
> 
> Any suggestions? I think it is required to have some capability for
> device entries in chrooted environments.
> 
> The only working thing I came up with is this:
> 
> mkdir /compat/linux/dev
> mkdir /compat/linux/dev-hidden
> mount -t devfs devfs /compat/linux/dev-hidden
> cd /compat/linux/dev
> rm -f null zero
> ln -s ../dev-hidden/null .
> ln -s ../dev-hidden/zero .
> 
> Any ill effects to be expected from this hack?
> 
> 
Yes, when you chrooted to /compat/linux, you still have access to the
devices listed in /dev-hidden, which could cause a security issue. 
You best bet is to mount devfs on /compat/linux/dev, and then use
devfs_rules to limit the devices available in the chroot area.

> -- cut here --
> 
> /usr/ports/emulators/linux_base/pkg-message
>  recommendes:
> > You may wish to create and populate /compat/linux/dev/ if you plan to
> > chroot
> > into your Linux installation.  For example:
> >
> >         mkdir /compat/linux/dev
> >         mknod /compat/linux/dev/null c 2 2
> >         chmod 666 /compat/linux/dev/null
> 
> 
The solution is to change the pkg-message to add an example for 5.X+
that shows howd to mount devfs on /compat/linux/dev, and uses
devfs_rules to hide all devices except for the null & zero device.

-- 
DISCLAIMER:
No electrons were mamed while sending this message. Only slightly bruised.