3 # This file SHOULD NOT be executable! It is sourced by jailsetup.sh and
4 # SHOULD NOT be executed directly!
6 # On entry the current directory will be set to the top of the chroot
7 # This script must perform platform-specific chroot setup which includes
8 # creating any dev device entries, setting up proc (if needed), setting
9 # up lib64 (if needed) as well as installing a basic set of whatever libraries
10 # are needed for a chroot to function on this platform.
12 # This script must also define a pull_in_bin function that may be called to
13 # install an executable together with any libraries it depends on into the
16 # Finally this script must install a suitable nc.openbsd compatible version of
17 # netcat into the chroot jail that's available as nc.openbsd and which supports
18 # connections to unix sockets.
20 # We are designed to set up the chroot based on binaries from
21 # amd64 Debian lenny; some things may need slight modifications if
22 # being run on a different distribution.
26 mkdir
-p dev proc selinux
27 chown
0:0 proc selinux
32 rm -f dev
/null dev
/zero dev
/random dev
/urandom
35 mknod dev
/random c
1 8
36 mknod dev
/urandom c
1 9
37 chmod a
+rw dev
/null dev
/zero dev
/random dev
/urandom
40 mkdir
-p var
/run
/sshd var
/tmp
45 test -f "$_f" ||
return 1
50 # Bring in basic libraries:
54 ! [ -d /lib
] ||
! has_files
/lib
/ld-linux
*.so
* ||
cp -p -t lib
/lib
/ld-linux
*.so
*
55 ! [ -d /lib64
] ||
! has_files
/lib64
/ld-linux
*64.so
* ||
cp -p -t lib
/lib64
/ld-linux
*64.so
*
56 has_files lib
/ld-linux
*.so
* ||
{
57 echo "ERROR: could not find any ld-linux*.so* file" >&2
61 # Besides '=>' libs, attempt to pick up absolute path libs and create a symlink for upto one level deep
63 ldd
"$1" |
grep -v -e linux-gate
-e linux-vdso
-e ld-linux |
awk '{print $1 " " $2 " " $3}' |
64 while read -r _f1 _f2 _f3
; do
70 case "$_f1" in /*.so
*)
71 _basedir
="$(dirname "$_f1")"
72 _basedir
="${_basedir#/}"
73 _basedir
="${_basedir#usr/}"
79 _basedir
="${_basedir#lib/}"
80 case "$_basedir" in */*) :;; *)
81 if [ ! -e "lib/$_basedir" ]; then
82 ln -s .
"lib/$_basedir"
95 dst
="${2%/}/$(basename "$1")"
96 if [ ! -e "$dst" ] ||
[ "$1" -nt "$dst" ]; then
98 for llib
in $
(extract_libs
"$1"); do
99 (pull_in_lib
"$llib" lib
)
103 case "$(basename "$1")" in libc.
*)
104 # grab libnss_compat.so* from libc location
105 ! has_files
"$(dirname "$1")/libnss_compat."so
* ||
106 for nlib
in "$(dirname "$1")/libnss_compat."so
*; do
107 (pull_in_lib
"$nlib" "$2")
113 # pull_in_bin takes two arguments:
114 # 1: the full path to a binary to pull in (together with any library dependencies)
115 # 2: the destination directory relative to the current directory to copy it to which
116 # MUST already exist with optional alternate name if the name in the chroot should be different
117 # 3: optional name of binary that if already in $2 and the same as $1 hard link to instead
118 # for example, "pull_in_bin /bin/sh bin" will install the shell into the chroot bin directory
119 # for example, "pull_in_bin /bin/bash bin/sh" will install bash as the chroot bin/sh
120 # IMPORTANT: argument 1 must be a machine binary, NOT a shell script or other interpreted text
121 # IMPORTANT: text scripts can simply be copied in or installed as they don't have libraries to copy
122 # NOTE: it's expected that calling this function on a running chroot may cause temporary disruption
123 # In order to avoid a busy error while replacing binaries we first copy the binary to the
124 # var/tmp directory and then force move it into place after the libs have been brought in.
127 if [ -d "${bdst%/}" ]; then
128 bnam
="$(basename "$bin")"
131 bnam
="$(basename "$bdst")"
134 if [ -n "$3" ] && [ "$3" != "$bnam" ] &&
135 [ -r "$bdst/$3" ] && [ -x "$bdst/$3" ] && cmp -s "$bin" "$bdst/$3"; then
136 ln -f "$bdst/$3" "$bdst/$bnam"
139 cp -p -t var
/tmp
"$bin"
140 # ...and all the dependencies.
141 for lib
in $
(extract_libs
"$bin"); do
142 pull_in_lib
"$lib" lib
144 mv -f "var/tmp/$(basename "$bin")" "$bdst/$bnam"
147 # A catch all that needs to be called after everything's been pulled in
148 chroot_update_permissions
() {
150 [ -n "$chroot_dir" ] && [ "$chroot_dir" != "/" ] ||
{ echo bad
'$chroot_dir' >&2; exit 2; }
151 cd "$chroot_dir" ||
{ echo bad
'$chroot_dir' >&2; exit 2; }
153 chown
-R 0:0 bin dev lib sbin var
156 # the nc.openbsd compatible utility is available as $var_nc_openbsd_bin
157 pull_in_bin
"$var_nc_openbsd_bin" bin
/nc.openbsd