2

I need to run a process in a chroot with a virtual /proc filesystem, so the process is unable to get access to other processes running on the same host. The process must be run under root and have full access to files in chroot. Also any changes to the filesystem must be preserved in the chrooted directory.

Is it even possible?

user unknown
  • 1,802
  • 1
  • 14
  • 25
user4674453
  • 121
  • 3

2 Answers2

0

It is possible to mount /proc in a chroot environment - see this answer for more on that.

I would have concerns that the program would not be able to get access to other processes as much (if not all) of this information can be accessed through /proc (/proc/[pid number] will give you access to this ).

Its unclear what you mean by "changes to the filesystem", but if these changes are to the filesystem excluding special bits like /proc, /dev/ etc, these will stay in the chroot.

davidgo
  • 68,623
  • 13
  • 106
  • 163
  • mounting the real `/proc` in the chroot is pretty much exactly what the question is trying to avoid. – quixotic Mar 21 '17 at 04:00
  • @quixotic - if thats the case, the answer is "no" - unless a lot more information given as to what specific parts of /proc are needed. Rereading the question, I wonder if the understanding of filesystems is correct - as in does "changes to the filesystem must be preserved" imply access to files outside the scope of the directories under the chroot jail. – davidgo Mar 21 '17 at 04:06
  • agree that doesn't entirely make sense -- it could be assuming a read-only base for the chroot, like docker or snapshot-able VM images or running the chroot in a loop-mounted ISO image or ... – quixotic Mar 21 '17 at 04:14
  • > Its unclear what you mean by "changes to the filesystem" That was to avoid docker fans to flood the topic :) What I really need is to be able to install any package, which pulls a lot of dependencies in that way it won't pollute the system, and be usable in the shell like it is installed in /usr/bin. So I would like it to use main root, but all the changes it produces, including dependencies, logs, etc. to be stored in separate directory. I want it to know nothing about root system, and the processes it's running, as it won't work smoothly. – user4674453 Mar 21 '17 at 22:36
0

You can accomplish this using Linux namespaces. Containers (Docker, lxc) are made out of those. man unshare is Your friend. Beware that attacker can easily escape chroot if You use it improperly. Read up on this before using it. You have been warned.

lynx
  • 1
  • 2