V_* meta-symbols and locking

James Gritton jamie at gritton.org
Wed Jun 18 21:02:42 UTC 2008

Marko Zec wrote:

 >>> The only thing I'd like to have
 >>> as an option is to be able to spawn a new process in the target VM
 >>> _without_ making it chrooted...
 >> If you mean creating a jail that's not chrooted, that's no problem.
 >> If you mean creating a jail that *is* chrooted, and then placing a
 >> process into that jail without chrooting it, that would be a breakage
 >> of the jail paradigm.  Hopefully you mean the former?
 > No, I want the later, as an option.  Given that the parent environment /
 > jail completely controls the child anyhow, I don't think such an
 > (optional) behavior would be too big a security issue.

One thing you could do is keep a file descriptor open to the real root
directory, and call jail_attach().  As long as the system is in its
default state of chroot_allow_open_directories == 1, you can then
fchdir() or openat() from the saved descriptor.  That could easily be
made an option to jexec(8).

- Jamie

More information about the freebsd-virtualization mailing list