A "micro jail" Example

The following example creates and runs an nginx "micro jail", a service jail, which is a jail containing only the files and paths that are required for the jail to perform its function, in this case running an instance of nginx. In essence, it bootstraps the jail with basic required directories like /dev and /var/run, and most importantly copies from the host system libc and ld-elf shared libs, as well as any other may be required for the program inside the jail to run.

This can be expanded with making the root readonly and mounting from the host any read-write paths, for example /var/log/nginx for nginx, for better security.

If the service in the jail requires syslog (eg. Postfix only logs through syslog), a listening socket can be created in the jail, from the host's syslogd(8), by using -l (lowercase L) for syslogd_flags. The flag can be added more than once, so the host's syslogd can listen in multiple jails. 

syslogd_flags = "-s -l /path/to/the/jail/root/var/run/log"

   1 #!/bin/sh
   2 
   3 ROOT="/path/to/the/jail/root"
   4 
   5 bootstrap() {
   6         mkdir -p ${ROOT}/dev
   7         mkdir -p ${ROOT}/etc
   8         mkdir -p ${ROOT}/lib
   9         mkdir -p ${ROOT}/libexec
  10         mkdir -p ${ROOT}/sbin
  11         mkdir -p ${ROOT}/var/run
  12 
  13         # Temporarily hardcoded here for this example, use ldd to automatically find needed base libs
  14         cp /lib/libthr.so.3 ${ROOT}/lib/
  15         cp /lib/libcrypt.so.5 ${ROOT}/lib/
  16         cp /lib/libz.so.6 ${ROOT}/lib/
  17         cp /lib/libc.so.7 ${ROOT}/lib/
  18         cp /libexec/ld-elf.so.1 ${ROOT}/libexec/
  19 
  20         # At minimum the root user is needed, assuming pkg will install whatever additional user is required
  21         echo "root:*:0:0::0:0:Charlie &:/root:/bin/csh" > ${ROOT}/etc/master.passwd
  22         echo "wheel:*:0:root" > ${ROOT}/etc/group
  23         pwd_mkdb -d ${ROOT}/etc -p /${ROOT}/etc/master.passwd
  24 }
  25 
  26 install_pkg() {
  27         pkg -r ${ROOT} install -y nginx
  28 }
  29 
  30 configure() {
  31         mkdir -p ${ROOT}/usr/local/www/nginx/
  32 
  33         cp ${ROOT}/usr/local/etc/nginx/nginx.conf-dist ${ROOT}/usr/local/etc/nginx/nginx.conf
  34         cp ${ROOT}/usr/local/etc/nginx/mime.types-dist ${ROOT}/usr/local/etc/nginx/mime.types
  35         cp ${ROOT}/usr/local/www/nginx-dist/index.html ${ROOT}/usr/local/www/nginx/
  36 
  37         ldconfig -f ${ROOT}/var/run/ld-elf.so.hints /usr/local/lib
  38 }
  39 
  40 run() {
  41         jail \
  42                 -c path=${ROOT} \
  43                 mount.devfs \
  44                 securelevel=3 \
  45                 host.hostname=nginx \
  46                 ip4=inherit \
  47                 exec.jail_user=www \
  48                 command=/usr/local/sbin/nginx
  49 }
  50 
  51 bootstrap
  52 install_pkg
  53 configure
  54 run

VladimirKrstulja/Guides/MicroJails (last edited 2017-09-25T14:55:24+0000 by VladimirKrstulja)