I have some device (say /dev/sda1
) mounted at /home/user1
. I also have a full Linux system under /tmp/chroot
, and the directory /tmp/chroot/home
contains only one directory named user2
.
If I chroot
inside /tmp/chroot
, mount /dev
, /sys
and /proc
there and issue the mount
command (or cat /proc/mounts
), I can still see /dev/sda1
mounted at /home/user1
whereas the directory /home/user1
does not even exist anymore (in the chroot).
I also tried with jchroot
instead of chroot
(this is a program with an interface similar to chroot
but creating a new mount namespace and a new PID namespace), but the results are the same.
Is this normal behaviour? It sounds weird that I can access information about mount points outside the chroot.
Is there a way to make them disappear from /proc/mounts
?
Best Answer
Yes, you would need to use "unshare" instead (or as well as) chroot; chroot ONLY changes the root directory of the process. While it's difficult in practice to get to anything which is above it, there are many ways to break out. It's not a jail.
There are some tools which do this, such as "lxc" (Linux containers)