LKML Archive on lore.kernel.org help / color / mirror / Atom feed
* CLONE_NEWNS and bind mounts to make "chroot" jail
@ 2008-03-01 17:05 Leibowitz, Michael
2008-03-02 2:26 ` serge
0 siblings, 1 reply; 6+ messages in thread
From: Leibowitz, Michael @ 2008-03-01 17:05 UTC (permalink / raw)
To: linux-kernel
I have been trying to use the combination of CLONE_NEWNS and bind mounts
to create a better (than) chroot jail. I wish to have the ability to
bind (ro will be possible in the future, I understand) certain
directories into the jail (perhaps /bin, /lib, /usr), but not have
parallel directories in the jail (no /etc, ..., /home).
I have heard that this should be possible, but have yet to get a working
solution.
I have tried something analogous to:
chdir("/jail");
unshare(CLONE_NEWNS);
/* mount(8) syntax given for simplicity, but mount(2) used below */
mount --bind / /jail/old_root
mount --bind /jail/old_root/bin /jail/bin
mount --bind /jail/old_root/usr /jail/usr
mount --bind /jail/old_root/lib /jail/lib
mount --bind /jail / # does nothing?
umount2("/old_root", MNT_DETACH); # never happens.
exec("bin/sh");
When bin/sh runs, I can still see old_root from /jail and the bind of
/jail over / seems to have not done anything.
Is it possible to create such a jail with bind mounts? Is there a
recommended method for doing so? Thank you for your time.
--
Michael Leibowitz
Software Engineer, UMG
Intel Corporation
michael.leibowitz at intel.com
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: CLONE_NEWNS and bind mounts to make "chroot" jail 2008-03-01 17:05 CLONE_NEWNS and bind mounts to make "chroot" jail Leibowitz, Michael @ 2008-03-02 2:26 ` serge 2008-03-03 6:56 ` Leibowitz, Michael 0 siblings, 1 reply; 6+ messages in thread From: serge @ 2008-03-02 2:26 UTC (permalink / raw) To: Leibowitz, Michael; +Cc: linux-kernel Quoting Leibowitz, Michael (michael.leibowitz@intel.com): > I have been trying to use the combination of CLONE_NEWNS and bind mounts > to create a better (than) chroot jail. I wish to have the ability to > bind (ro will be possible in the future, I understand) certain > directories into the jail (perhaps /bin, /lib, /usr), but not have > parallel directories in the jail (no /etc, ..., /home). > > I have heard that this should be possible, but have yet to get a working > solution. > > I have tried something analogous to: Try a few more things. Since you had entered /jail, you can view '/' by looking at .. . But if you look at /, you dereference your task->fsroot. You never changed that, so it points to the original mount. If however you 'ls ..', you should see your 'jail' directory. However it won't have the /bin and /lib mounted because you didn't mount --rbind /jail / What you really want to do is mount --bind /jail /jail to make sure it's a mountpoint, then set up the new /jail using bind mounts like you're doing (and likely some rbinds in some places), then use pivot_root() to change your root. Then umount2("/old_root", MNT_DETACH). -serge > chdir("/jail"); > unshare(CLONE_NEWNS); > /* mount(8) syntax given for simplicity, but mount(2) used below */ > mount --bind / /jail/old_root > mount --bind /jail/old_root/bin /jail/bin > mount --bind /jail/old_root/usr /jail/usr > mount --bind /jail/old_root/lib /jail/lib > mount --bind /jail / # does nothing? > umount2("/old_root", MNT_DETACH); # never happens. > exec("bin/sh"); > > When bin/sh runs, I can still see old_root from /jail and the bind of > /jail over / seems to have not done anything. > > Is it possible to create such a jail with bind mounts? Is there a > recommended method for doing so? Thank you for your time. > > -- > Michael Leibowitz > Software Engineer, UMG > Intel Corporation > michael.leibowitz at intel.com > > > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ ^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: CLONE_NEWNS and bind mounts to make "chroot" jail 2008-03-02 2:26 ` serge @ 2008-03-03 6:56 ` Leibowitz, Michael 2008-03-04 21:45 ` serge 0 siblings, 1 reply; 6+ messages in thread From: Leibowitz, Michael @ 2008-03-03 6:56 UTC (permalink / raw) To: serge; +Cc: linux-kernel If I understand correctly, the following should accomplish what I'm looking for. However, pivot_root gives me EBUSY. I played around with moving the mount --bind /jail /jail to before the unshared, as well as making old_root a bind mount to itself. However, pivot_root always seems to fail. Is there something obvious that I'm doing wrong? The following is my test code (error checking has been removed for clarity, except for pivot_root). char *newargv[]= { "sh", NULL }; chdir("/jail"); unshare(CLONE_NEWNS)); mount("/jail", "/jail", NULL, MS_BIND, NULL)); mount("/bin", "bin", NULL, MS_BIND, NULL)); mount("/usr", "usr", NULL, MS_BIND, NULL)); mount("/lib", "lib", NULL, MS_BIND, NULL)); if (pivot_root(".", "old_root")) perror("pivot_root . old_root"); exec("./bash-static"); /* copied to /jail prior to running */ Thanks. >Serge replies: [snip...snip] >Try a few more things. Since you had entered /jail, you can view '/' by >looking at .. . But if you look at /, you dereference your >task->fsroot. You never changed that, so it points to the original >mount. If however you 'ls ..', you should see your 'jail' directory. >However it won't have the /bin and /lib mounted because you didn't > mount --rbind /jail / >What you really want to do is > mount --bind /jail /jail >to make sure it's a mountpoint, then set up the new /jail using bind >mounts like you're doing (and likely some rbinds in some places), then >use pivot_root() to change your root. Then umount2("/old_root", >MNT_DETACH). > >-serge -- Michael Leibowitz Software Engineer, UMG Intel Corporation michael.leibowitz at intel.com ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: CLONE_NEWNS and bind mounts to make "chroot" jail 2008-03-03 6:56 ` Leibowitz, Michael @ 2008-03-04 21:45 ` serge 2008-03-05 6:23 ` Leibowitz, Michael 0 siblings, 1 reply; 6+ messages in thread From: serge @ 2008-03-04 21:45 UTC (permalink / raw) To: Leibowitz, Michael; +Cc: serge, linux-kernel Quoting Leibowitz, Michael (michael.leibowitz@intel.com): > If I understand correctly, the following should accomplish what I'm > looking for. However, pivot_root gives me EBUSY. I played around with > moving the mount --bind /jail /jail to before the unshared, as well as > making old_root a bind mount to itself. However, pivot_root always > seems to fail. Is there something obvious that I'm doing wrong? The Yes, you cd /jail mount --bind /jail /jail pivot_root . old_root but . is now mounted over. -serge > following is my test code (error checking has been removed for clarity, > except for pivot_root). > > char *newargv[]= { "sh", NULL }; > > chdir("/jail"); > unshare(CLONE_NEWNS)); > mount("/jail", "/jail", NULL, MS_BIND, NULL)); > mount("/bin", "bin", NULL, MS_BIND, NULL)); > mount("/usr", "usr", NULL, MS_BIND, NULL)); > mount("/lib", "lib", NULL, MS_BIND, NULL)); > if (pivot_root(".", "old_root")) perror("pivot_root . old_root"); > exec("./bash-static"); /* copied to /jail prior to running */ > > Thanks. > > >Serge replies: > [snip...snip] > >Try a few more things. Since you had entered /jail, you can view '/' > by > >looking at .. . But if you look at /, you dereference your > >task->fsroot. You never changed that, so it points to the original > >mount. If however you 'ls ..', you should see your 'jail' directory. > >However it won't have the /bin and /lib mounted because you didn't > > mount --rbind /jail / > >What you really want to do is > > mount --bind /jail /jail > >to make sure it's a mountpoint, then set up the new /jail using bind > >mounts like you're doing (and likely some rbinds in some places), then > >use pivot_root() to change your root. Then umount2("/old_root", > >MNT_DETACH). > > > >-serge > > -- > Michael Leibowitz > Software Engineer, UMG > Intel Corporation > michael.leibowitz at intel.com > > > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: CLONE_NEWNS and bind mounts to make "chroot" jail 2008-03-04 21:45 ` serge @ 2008-03-05 6:23 ` Leibowitz, Michael 0 siblings, 0 replies; 6+ messages in thread From: Leibowitz, Michael @ 2008-03-05 6:23 UTC (permalink / raw) To: serge; +Cc: linux-kernel [-- Attachment #1: Type: text/plain, Size: 1208 bytes --] I'm not 100% sure if this is what you meant, but I did get the following to work: chdir("/jail"); unshare(CLONE_NEWNS); mount("/jail", "/jail", NULL, MS_BIND, NULL); pivot_root("/jail", "/jail/old_root"); chdir("/"); mount("/old_root/bin", "bin", NULL, MS_BIND, NULL); mount("/old_root/usr", "usr", NULL, MS_BIND, NULL); mount("/old_root/lib", "lib", NULL, MS_BIND, NULL); umount2("/old_root", MNT_DETACH); exec("/busybox"); Thanks for the help. On Tue, 2008-03-04 at 15:45 -0600, serge@hallyn.com wrote: > Quoting Leibowitz, Michael (michael.leibowitz@intel.com): > Yes, you > cd /jail > mount --bind /jail /jail > pivot_root . old_root > > but . is now mounted over. > > char *newargv[]= { "sh", NULL }; > > > > chdir("/jail"); > > unshare(CLONE_NEWNS)); > > mount("/jail", "/jail", NULL, MS_BIND, NULL)); > > mount("/bin", "bin", NULL, MS_BIND, NULL)); > > mount("/usr", "usr", NULL, MS_BIND, NULL)); > > mount("/lib", "lib", NULL, MS_BIND, NULL)); > > if (pivot_root(".", "old_root")) perror("pivot_root . old_root"); > > exec("./bash-static"); /* copied to /jail prior to running */ -- Michael Leibowitz <michael.leibowitz@intel.com> [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
[parent not found: <a2DnP-4KR-9@gated-at.bofh.it>]
[parent not found: <a2M7M-1rM-5@gated-at.bofh.it>]
[parent not found: <a3cOQ-1eQ-3@gated-at.bofh.it>]
* RE: CLONE_NEWNS and bind mounts to make "chroot" jail [not found] ` <a3cOQ-1eQ-3@gated-at.bofh.it> @ 2008-03-03 15:54 ` Bodo Eggert 0 siblings, 0 replies; 6+ messages in thread From: Bodo Eggert @ 2008-03-03 15:54 UTC (permalink / raw) To: Leibowitz, Michael, serge, linux-kernel Leibowitz, Michael <michael.leibowitz@intel.com> wrote: > If I understand correctly, the following should accomplish what I'm > looking for. However, pivot_root gives me EBUSY. I played around with > moving the mount --bind /jail /jail to before the unshared, as well as > making old_root a bind mount to itself. However, pivot_root always > seems to fail. Is there something obvious that I'm doing wrong? The > following is my test code (error checking has been removed for clarity, > except for pivot_root). > > char *newargv[]= { "sh", NULL }; > > chdir("/jail"); > unshare(CLONE_NEWNS)); > mount("/jail", "/jail", NULL, MS_BIND, NULL)); > mount("/bin", "bin", NULL, MS_BIND, NULL)); > mount("/usr", "usr", NULL, MS_BIND, NULL)); > mount("/lib", "lib", NULL, MS_BIND, NULL)); > if (pivot_root(".", "old_root")) perror("pivot_root . old_root"); > exec("./bash-static"); /* copied to /jail prior to running */ This works for me: #include <sys/mount.h> #include <unistd.h> #define _GNU_SOURCE #include <sched.h> #define MNT_DETACH 2 /* Detach from tree only */ int main() { unshare(CLONE_NEWNS); mount("jail", "jail", NULL, MS_BIND, NULL); mount("/bin", "jail/bin", NULL, MS_BIND, NULL); mount("/usr", "jail/usr", NULL, MS_BIND, NULL); mount("/lib", "jail/lib", NULL, MS_BIND, NULL); /* abuse bin as the temporary old root directory */ if (pivot_root("jail", "jail/bin")) perror("pivot_root"); chdir("/"); umount2("bin", MNT_DETACH); execl("./sash", NULL); /* copied to /jail prior to running */ } ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2008-03-05 6:26 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2008-03-01 17:05 CLONE_NEWNS and bind mounts to make "chroot" jail Leibowitz, Michael
2008-03-02 2:26 ` serge
2008-03-03 6:56 ` Leibowitz, Michael
2008-03-04 21:45 ` serge
2008-03-05 6:23 ` Leibowitz, Michael
[not found] <a2DnP-4KR-9@gated-at.bofh.it>
[not found] ` <a2M7M-1rM-5@gated-at.bofh.it>
[not found] ` <a3cOQ-1eQ-3@gated-at.bofh.it>
2008-03-03 15:54 ` Bodo Eggert
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).