chrootsetup_linux.sh

   1 # chrootsetup_linux.sh
   2
   3 # This file SHOULD NOT be executable!  It is sourced by jailsetup.sh and
   4 # SHOULD NOT be executed directly!
   5
   6 # On entry the current directory will be set to the top of the chroot
   7 # This script must perform platform-specific chroot setup which includes
   8 # creating any dev device entries, setting up proc (if needed), setting
   9 # up lib64 (if needed) as well as installing a basic set of whatever libraries
  10 # are needed for a chroot to function on this platform.
  11
  12 # This script must also define a pull_in_bin function that may be called to
  13 # install an executable together with any libraries it depends on into the
  14 # chroot.
  15
  16 # Finally this script must install a suitable nc.openbsd compatible version of
  17 # netcat into the chroot jail that's available as nc.openbsd and which supports
  18 # connects to unix sockets.
  19
  20 # We are designed to set up the chroot based on binaries from
  21 # amd64 Debian lenny; some things may need slight modifications if
  22 # being run on a different distribution.
  23
  24 mkdir -p dev proc selinux
  25 chown 0:0 proc selinux
  26 rm -f lib64
  27 ln -s lib lib64
  28
  29 # Seed up /dev:
  30 rm -f dev/null dev/zero dev/random dev/urandom
  31 mknod dev/null c 1 3
  32 mknod dev/zero c 1 5
  33 mknod dev/random c 1 8
  34 mknod dev/urandom c 1 9
  35 chmod a+rw dev/null dev/zero dev/random dev/urandom
  36
  37 # Extra directories
  38 mkdir -p var/empty var/run/sshd
  39 chmod 0444 var/empty
  40
  41 # Bring in basic libraries:
  42 rm -f lib/*
  43 # ld.so:
  44 cp -p -t lib /lib/ld-linux.so.2
  45 [ ! -d /lib64 ] || cp -p -t lib /lib64/ld-linux-x86-64.so.2
  46 # libc:
  47 cp -p -t lib /lib/libc.so.6 /lib/libcrypt.so.1 /lib/libutil.so.1 /lib/libnsl.so.1 /lib/libnss_compat.so.2 /lib/libresolv.so.2 /lib/libdl.so.2 /lib/libgcc_s.so.1
  48
  49 # pull_in_bin takes two arguments:
  50 # 1: the full path to a binary to pull in (together with any library dependencies)
  51 # 2: the destination directory relative to the current directory to copy it to
  52 # for example, "pull_in_bin /bin/sh bin" will install the shell into the chroot bin directory
  53 # IMPORTANT: argument 1 must be a machine binary, NOT a shell script or other interpreted text
  54 # IMPORTANT: text scripts can simply be copied in or installed as they don't have libraries to copy
  55 # NOTE: it's expected that calling this function on a running chroot may cause temporary disruption
  56 pull_in_bin() {
  57         bin="$1"; dst="$2"
  58         cp -p -t "$dst" "$bin"
  59         # ...and all the dependencies.
  60         ldd "$bin" | grep -v linux-gate | grep -v linux-vdso | grep -v ld-linux | grep '=>' | awk '{print $3}' | xargs -r -- cp -p -u -t lib
  61 }
  62
  63 # A catch all that needs to be called after everything's been pulled in
  64 chroot_update_permissions() {
  65         chown -R 0:0 bin dev lib sbin var
  66 }
  67
  68 # nothing special here, the nc.openbsd compatible utility is nc.openbsd
  69 pull_in_bin /bin/nc.openbsd bin