2

I need to run a process in a chroot with a virtual /proc filesystem, so the process is unable to get access to other processes running on the same host. The process must be run under root and have full access to files in chroot. Also any changes to the filesystem must be preserved in the chrooted directory.

Is it even possible?

Improve this question
2
  • 1
    Any particular reason for trying to achieve such behavior?
    – ddnomad
    Commented Mar 21, 2017 at 1:31
  • a VM or LXC container will give you a real-looking /proc without actually being the host's /proc.
    – quixotic
    Commented Mar 21, 2017 at 4:09

2 Answers 2

Reset to default
0

It is possible to mount /proc in a chroot environment - see this answer for more on that.

I would have concerns that the program would not be able to get access to other processes as much (if not all) of this information can be accessed through /proc (/proc/[pid number] will give you access to this ).

Its unclear what you mean by "changes to the filesystem", but if these changes are to the filesystem excluding special bits like /proc, /dev/ etc, these will stay in the chroot.

Improve this answer
4
  • mounting the real /proc in the chroot is pretty much exactly what the question is trying to avoid.
    – quixotic
    Commented Mar 21, 2017 at 4:00
  • @quixotic - if thats the case, the answer is "no" - unless a lot more information given as to what specific parts of /proc are needed. Rereading the question, I wonder if the understanding of filesystems is correct - as in does "changes to the filesystem must be preserved" imply access to files outside the scope of the directories under the chroot jail.
    – davidgo
    Commented Mar 21, 2017 at 4:06
  • agree that doesn't entirely make sense -- it could be assuming a read-only base for the chroot, like docker or snapshot-able VM images or running the chroot in a loop-mounted ISO image or ...
    – quixotic
    Commented Mar 21, 2017 at 4:14
  • > Its unclear what you mean by "changes to the filesystem" That was to avoid docker fans to flood the topic :) What I really need is to be able to install any package, which pulls a lot of dependencies in that way it won't pollute the system, and be usable in the shell like it is installed in /usr/bin. So I would like it to use main root, but all the changes it produces, including dependencies, logs, etc. to be stored in separate directory. I want it to know nothing about root system, and the processes it's running, as it won't work smoothly.
    – user4674453
    Commented Mar 21, 2017 at 22:36
0

You can accomplish this using Linux namespaces. Containers (Docker, lxc) are made out of those. man unshare is Your friend. Beware that attacker can easily escape chroot if You use it improperly. Read up on this before using it. You have been warned.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .