An administrator wants to create a chroot environment for a potentially compromised service. The service needs to read /etc/resolv.conf and /etc/hosts, and run from a directory /chroot/service. Which of the following steps is essential to ensure the chroot environment is secure and functional?
Device files are required for many system calls; without them, the service may crash or hang.
Why this answer
Option B is correct because the chroot environment must contain the necessary device files for system calls. Option A is wrong because copying binaries into the chroot is not always sufficient; they must be linked against libraries available inside. Option C is wrong because /proc should be mounted for some services but not essential for basic resolution files; however, it is often needed.
Option D is wrong because setting the jail to read-only filesystem is a security measure but not essential for functionality. The most essential step is to create device nodes (like /dev/null, /dev/random) because many services require them.