Re: [dev] [quark] Performance issues
On Wed, Sep 25, 2019 at 08:20:52AM +0200, Laslo Hunhold wrote:
> chroot() should never be optional. unveil() might bring the same
> effect, but the unveil()-wrapper in quark doesn't do anything on Linux.
>
chroot() has several detrimental effects, most importantly making it
impossible to access /dev/null and /dev/urandom. Unless, of course,
measures are taken to replicate these devices underneath the new root.
It is also not a security device. If a service in a chroot is exploited
with root privileges, it can mount procfs wherever, and access
/proc/1/root. It can also mount another instance of the rootfs wherever
and escape the jail that way.
>
> With best regards
>
> Laslo
>
Ciao,
Markus
Received on Wed Sep 25 2019 - 16:06:52 CEST
This archive was generated by hypermail 2.3.0
: Wed Sep 25 2019 - 16:24:08 CEST