How do I create a minimal chroot jail in macOS?

Solution 1:

TL;DR I could not get it to work. I have mentioned some ways to setup that might work for some. Will note the errors I faced at the end.


The only thing you need for the most minimal setup is a working shell (like /bin/bash). A curious case of simple but not easy. Here's how it's supposed to be :

Required

  1. mkdir -p /tmp/chroot/bin /tmp/chroot/usr/lib
  2. cp /bin/bash /tmp/chroot/bin

Here, you need some libs for bash to work. There are 4 ways you can go about this:

Route 1

  1. otool -L /bin/bash | sed 1d | awk '{print $1}'
  2. cp 'em over to /tmp/chroot/usr/lib
  3. For every lib above, run 1 (replace /bin/bash) & 2

Perhaps dyld as well, it is not mentioned in shared lib though.

Route 2

  1. cp /usr/lib/dyld /tmp/usr/lib
  2. sudo chroot /tmp/chroot /bin/bash
  3. Above will throw error for some library not loaded, cp it like Route 1.2

Route 3

  1. cp /usr/lib/* /tmp/chroot/usr/lib
  2. cp /usr/lib/system/* /tmp/chroot/usr/lib/system

Very convenient but sorta defeats the purpose

Route 4

  1. Use a script to recursively run otool and cp in Route 1.

This is what the above scripts you mentioned do.

Either way, once you have all necessary libs copied over, chroot should just run.


Why I couldn't get it to run?

% otool -L /bin/bash
/bin/bash:
    /usr/lib/libncurses.5.4.dylib (compatibility version 5.4.0, current version 5.4.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1292.60.1)
% ls /usr/lib/libncurses.5.4.dylib
ls: /usr/lib/libncurses.5.4.dylib: No such file or directory
% ls /usr/lib/libSystem.B.dylib
ls: /usr/lib/libSystem.B.dylib: No such file or directory

As you can see above, the files simply show up as non-existent. I tried disabling SIP and logging in as root user - no dice. Perhaps someone more knowledgable than me can give some input on why this happens.

Since I have no access to them libs, I simply cannot create a chroot environ. I did try with sh and zsh. I tried 'em scripts in the link as well. Same story.

If it does work for you, do share your method. Btw, those 2 errors you get are missing bin/libs related.

credits

Solution 2:

Per https://developer.apple.com/documentation/macos-release-notes/macos-big-sur-11_0_1-release-notes, (62986286), copies of dynamic libraries are no longer present on the filesystem. I think this is root cause of missing some libraries. I got the same error, but I don't have any idea to fix it.

New in macOS Big Sur 11.0.1, the system ships with a built-in dynamic linker cache of all system-provided libraries. As part of this change, copies of dynamic libraries are no longer present on the filesystem. Code that attempts to check for dynamic library presence by looking for a file at a path or enumerating a directory will fail. Instead, check for library presence by attempting to dlopen() the path, which will correctly check for the library in the cache. (62986286)