jchroot: a chroot with more isolation
Recent Linux kernels are now able to provide a new PID namespace to a newly created process. The process becomes PID 1 in its own namespace and all processes created in this namespace will be killed when the first process terminates. This allows to reliably kill any process started by the first process, even when they double fork. It also ensures a better isolation.
The same applies for mount points and IPC. If you combine those three namespaces with a standard chroot, you get a chroot on steroids. You can launch any (non malicious) process in this chroot, it won't interfere with your main system and everybody will be killed when you exit the shell. Any filesystem that was mounted will also be unmounted automatically.
This is what jchroot does:
- Setup user/group mappings.
- provide a new PID/IPC/mount/UTS namespace
- mount anything you want
- set hostname if needed
- chroot to your target
- drop privileges if needed
- execute your command
After your command has been executed, any process started by the execution of this command will be killed, any IPC will be freed, any mount point will be unmounted. All clean!
See also schroot and lxc.
schroot is not yet able to do
this, but this is planned. See bug #637870.
lxc should be able
to do this but seems targeted at more complex situations... If you use
systemd, look at
systemd-nspawn which does almost the
same thing than jchroot. You could also use
It should be noted that a privileged process inside jchroot may be
able to escape unless its privileges are reduced. For example, it
could fiddle with
/dev/kmem or mount any filesystem after creating
the appropriate node.
If you seek a complex isolation, you are better off with lxc which bundles many security mechanisms.
You may want to use user namespaces to increase the security of the chroot:
./jchroot -U -u 0 -g 0 -M "0 $(id -u) 1" -G "0 $(id -g) 1" /path/to/chroot cmd
Installation & use
make to get
jchroot --help to get help.
ChrootX is a wrapper around