Skip to Content [alt-c]
In reply to Comment by Reader Richard Yao
You are mistaken. Linux does have chroot(2) and therefore "chroot jails". The "chroot jail" concept dates back at least to SVr4 and is older than namespaces and cgroups. In fact, chroot is probably the original Unix "container" mechanism. The problems with chroot are well-known, in particular that it only affects filesystem access and that root can easily escape from a chroot jail. Other problems come from the isolation provided by chroot--if /dev isn't bind-mounted inside the chroot jail or a duplicate /dev/urandom created inside the jail, a jailed process does not have access to it. Similarly, data in /proc is inaccessible unless /proc is mounted inside the jail. Most programs that use chroot for security intentionally lock themselves into a very limited environment, thus the use case for a getentropy syscall.
Reply
Your comment will be public. To contact me privately, email me. Please keep your comment polite, on-topic, and comprehensible. Your comment may be held for moderation before being published.
Your Name: (Optional; will be published)
Your Email Address: (Optional; will not be published)
Your Website: (Optional; will be published)
>
monospaced
Post a Reply
Your comment will be public. To contact me privately, email me. Please keep your comment polite, on-topic, and comprehensible. Your comment may be held for moderation before being published.