On Mon, Mar 11, 2013 at 11:52 PM, Bakul Shah <ba...@bitblocks.com> wrote: > To do something similar you will have to constrain each jail > to see a subset of processes, give it its own /dev, /env etc. > Not sure how you do this.
So long as processes in the jail use /dev, /env, etc., etc., as inherited from/shared with their parent processes, this seems doable, if tedious: provide a synthetic file system that shows a limited view on /dev, /env, etc. But the child process can always mount #x for various x, and get out of jail. —Joel