V_* meta-symbols and locking
jamie at gritton.org
Wed Jun 18 21:02:42 UTC 2008
Marko Zec wrote:
>>> The only thing I'd like to have
>>> as an option is to be able to spawn a new process in the target VM
>>> _without_ making it chrooted...
>> If you mean creating a jail that's not chrooted, that's no problem.
>> If you mean creating a jail that *is* chrooted, and then placing a
>> process into that jail without chrooting it, that would be a breakage
>> of the jail paradigm. Hopefully you mean the former?
> No, I want the later, as an option. Given that the parent environment /
> jail completely controls the child anyhow, I don't think such an
> (optional) behavior would be too big a security issue.
One thing you could do is keep a file descriptor open to the real root
directory, and call jail_attach(). As long as the system is in its
default state of chroot_allow_open_directories == 1, you can then
fchdir() or openat() from the saved descriptor. That could easily be
made an option to jexec(8).
More information about the freebsd-virtualization