No description
5451b8db9d
chroot only changes the process root directory, not the mount namespace root directory, and it is well-known that any process with chroot capability can break out of a chroot "jail". By using pivot_root as well, and unmounting the original mount namespace root directory, breaking out becomes impossible. Non-root processes typically have no ability to use chroot() anyway, but they can gain that capability through the use of clone() or unshare(). For security reasons, these syscalls are limited in functionality when used inside a normal chroot environment. Using pivot_root() this way does allow those syscalls to be put to their full use. |
||
---|---|---|
config | ||
corepkgs | ||
doc | ||
misc | ||
mk | ||
perl | ||
scripts | ||
src | ||
tests | ||
.gitignore | ||
bootstrap.sh | ||
configure.ac | ||
COPYING | ||
dev-shell | ||
INSTALL | ||
local.mk | ||
Makefile | ||
Makefile.config.in | ||
nix.spec.in | ||
README | ||
release.nix | ||
version |
Nix is a purely functional package manager. For installation and usage instructions, please read the manual, which can be found in `docs/manual/manual.html', and additionally at the Nix website at <http://nixos.org/>. Acknowledgments This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.OpenSSL.org/).