device entries outside /proc with procfs (for chroot)
swhetzel at gmail.com
Mon Sep 19 10:20:03 PDT 2005
On 9/19/05, Martin Cracauer <cracauer at cons.org> wrote:
> I noticed the creation of /dev/ entries outside of /dev doesn't work
> anymore. This is needed for chroot environments, which rely on
> /dev/null on a regular basis.
> I just created the appended message to freebsd-emulation but what I
> suggest doesn't work either. It seems that even with the right major
> and minor device number we won't get a working /dev/null outside of
> Any suggestions? I think it is required to have some capability for
> device entries in chrooted environments.
> The only working thing I came up with is this:
> mkdir /compat/linux/dev
> mkdir /compat/linux/dev-hidden
> mount -t devfs devfs /compat/linux/dev-hidden
> cd /compat/linux/dev
> rm -f null zero
> ln -s ../dev-hidden/null .
> ln -s ../dev-hidden/zero .
> Any ill effects to be expected from this hack?
Yes, when you chrooted to /compat/linux, you still have access to the
devices listed in /dev-hidden, which could cause a security issue.
You best bet is to mount devfs on /compat/linux/dev, and then use
devfs_rules to limit the devices available in the chroot area.
> -- cut here --
> > You may wish to create and populate /compat/linux/dev/ if you plan to
> > chroot
> > into your Linux installation. For example:
> > mkdir /compat/linux/dev
> > mknod /compat/linux/dev/null c 2 2
> > chmod 666 /compat/linux/dev/null
The solution is to change the pkg-message to add an example for 5.X+
that shows howd to mount devfs on /compat/linux/dev, and uses
devfs_rules to hide all devices except for the null & zero device.
No electrons were mamed while sending this message. Only slightly bruised.
More information about the freebsd-current