Instead, we should mount a tmpfs to /srv/dev at runtime, mknod all the devices we want, and remount the tmpfs as read-only.
This allows the devices available to the jail to be specified at runtime. It also means that /dev in each jail will be mounted read-only, so we don't have to rely on file permissions there.
We currently
mknod/jail/dev/{null,zero,urandom}during build and then bind mount/jail/devto/srv/devat runtime:https://github.com/redpwn/jail/blob/90ee0607b481a53fd612863eb0787b06066303e4/Dockerfile#L19-L21
https://github.com/redpwn/jail/blob/90ee0607b481a53fd612863eb0787b06066303e4/cmd/jailrun/jailrun.go#L146-L148
Instead, we should mount a tmpfs to
/srv/devat runtime,mknodall the devices we want, and remount the tmpfs as read-only.This allows the devices available to the jail to be specified at runtime. It also means that
/devin each jail will be mounted read-only, so we don't have to rely on file permissions there.