Nullfs Allows Jailbreaking
Adam Vande More
amvandemore at gmail.com
Thu Dec 23 03:08:05 UTC 2010
On Wed, Dec 22, 2010 at 8:56 PM, Jason C. Wells <jcw at speakeasy.net> wrote:
> I like the idea of using a template for multiple jails that I plan to use
> later. I like the ide of mounting the template read only. I had to splice
> in the other nullfs filesystems so that things that need to be read-write
> can be.
>
> But it seems kinda funky. Inside the jail it looks like EVERYTHING is
> read-only and you have no way of knowing that /tmp is actually read-write.
> There seems to be a violation of the segregation going on here.
>
> What pitfalls can you see in a file system scheme like this for my jails?
> Is the above behavior by design or did I find a flaw?
>
I think you're reinventing the wheel. The sysutils/ezjail already handles
this gracefully in addition to many other features. For reference ezjail
creates a layout like this:
/usr/jails/www.example.com.device on /usr/jails/www.example.com (ufs, local,
soft-updates)
/usr/jails/basejail on /usr/jails/www.example.com/basejail (nullfs, local,
read-only)
devfs on /usr/jails/www.example.com/dev (devfs, local, multilabel)
>From inside the jail you see:
/usr/jails/www.example.com.device on / (ufs, local, soft-updates)
--
Adam Vande More
More information about the freebsd-questions
mailing list