jailrooting services with RootDirectory - how ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I'm trying to start services within controlled jailroot. So I tried
using RootDirectory directive as described in systemd-exec man page.

It should be simple, but I never managed to make it work. 
I tried to
start simple minimalistic, statically compiled program that just prints
"Hello world". It has no library dependencies etc.

This should be simple, but it doesn't work. Even when I bind mount just
about every main directory in "/" into my RootDirectory=/usr/my_chroot.

I tried grepping the all available service files on my machines for
RootDirectory to find an example that I could learn from, but I
couldn't find any.

So i grepped the internet and couldn't find even a single example that
uses it. But I did find some remark that its usage can screw some cases
( at least service types of Type=notify) due to some boondongle with
systemd's listening socket or something. 
But my example is totally simple of the "oneshot" type. It works great
without RootDirectory directive.

What gives ? Has anyone tried actually using this ? Or is this one of
of those silently obsoleted things ?

It would be great if one could use it to jail each service into its own
private view of the filesystem on the machine in economic way, using
not much more than dozen of bind-mounts...

Is there a simple demo example that uses it that I could try ?

TIA
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux