DNS lookups inside a chroot (was: security projects thoughts)
Jordan K. Hubbard
jkh at apple.com
Sun Apr 17 14:25:52 PDT 2011
On Apr 17, 2011, at 1:33 AM, Joshua Root wrote:
> Maybe you can help me out then. :-) I can't get (lib)curl or ping to
> work inside a chroot (as created by MPAB) because their DNS lookups fail:
I asked around and this is apparently a known issue with the chroot environment being unable to contact the mDNSResponder socket. Untested, but what might work is running your own copy of mDNSResponder inside the chroot - copy the appropriate command line args out of the launchd plist for it. This is one of those areas where chroot(1) is simply becoming more and more incompatible with Mac OS X (despite my earlier assertions that you should "just chroot") due to all the services that need to run. A chroot environment does not have a launchd managing it, for example, yet something like that is what's really needed if you're going to run a shell in a chroot environment as if it were a fully-fledged instance of the system.
Perhaps a better idea would be to enhance trace mode such that it "faults in" stuff on demand into a run-specific staging area. Read-only opens of the files in the system would succeed, of course, it being only creations or rw/append opens which forced the copy, which means it wouldn't run all that slowly either. What's the current behavior of trace mode across fork/exec boundaries? Do the children get the properly interposed library such that they're also talking to the trace bits rather than the filesystem APIs directly?
More information about the macports-dev