How to deal with trust in the outer jail
We need to decide how much we trust the outer jail. It seems somewhere in between the trusted host and the untrusted. In an ideal world where we control all datasets, it's not a problem as we will just not execute anything in the outer jail. However, the moment we do not trust the author of the dataset things become tricky.
Consider the following scenery: Since the outer zone uses a VNET interface it would be possible for a sneaky person to misconfigure the interfaces on the outer jail and end up with an IP address they should not have access to. That said the code is still all executed inside a jail.
There are a few possible ways to deal with this:
- We declare the outer jail 'trustworthy' and put the burden of verification on the user. That kind of doesn't sit right with me.
- We include an empty outer jail into the dataset, or remove everything but the
/jail
directory and populate it with trusted binaries on jail reation (my favourite) - We get completely rid of the outer jail and do some sneaky mounty thing into a custom outer jail every time we start (feels like a lot of work)
There is also the problem with how do we deal with a startup, SmartOS uses brand and sub-brand files to strictly define startups we might need to do the same. it's a proven concept so not the worst
[1] https://github.com/joyent/illumos-joyent/blob/master/usr/src/lib/brand/lx/zone/lx_boot.ksh