isolation of GO lang application (jail and chroot)

Steve O'Hara-Smith steve at sohara.org
Mon Aug 15 20:44:50 UTC 2016


On Mon, 15 Aug 2016 11:58:44 -0700
Sergei G <sergeig.public at gmail.com> wrote:

> Can I jail just a single process without setting up a copy of operating
> system?  That's what ideally I would like to do.

	Yes you can do this, all you need to do is to make sure that you
have everything the application needs inside the jail - shared libraries,
configuration files, workspace etc. The set the exec_start for the jail to
the program you want to run. I usually do this by installing the
application in the host and then copying the essentials into the jail. IME
this usually involves a few false starts as you find things missing that
are needed in the jail but once past those it just works(tm), so don't
uninstall from the host until the jail is working.

	The next fiddly part comes when you need to upgrade the jailed
application, the safest way is to start from scratch in a fresh jail and
cut over the IP address when it works.

	You probably need to abandon qjail and set the jail up by hand to
do this. The payoff comes in security, if someone manages to compromise the
application there's nothing else in the jail for them to play with.

-- 
Steve O'Hara-Smith <steve at sohara.org>


More information about the freebsd-questions mailing list