| 1 |
Rich Freeman <rich0@g.o> wrote: |
| 2 |
> On Sun, Sep 24, 2017 at 4:24 AM, Martin Vaeth <martin@×××××.de> wrote: |
| 3 |
>> Tim Harder <radhermit@g.o> wrote: |
| 4 |
>> |
| 5 |
>> It is the big advantage of overlay that it is implemented in |
| 6 |
>> kernel and does not involve any time-consuming checks during |
| 7 |
>> normal file operations. |
| 8 |
> |
| 9 |
> Why would you expect containers to behave any differently? |
| 10 |
|
| 11 |
For overlay, there is only one directory to be checked in |
| 12 |
addition for every file access. |
| 13 |
|
| 14 |
For containers, at least a dozens of binds are minimally required |
| 15 |
(/usr /proc /sys /dev ...). But as you mentioned in your posting, |
| 16 |
if you want to take more care you easily have thousands of bind mounts. |
| 17 |
At least implicitly in the kernel, all of these binds must be checked |
| 18 |
for every file access. I am not sure whether this happens very quickly |
| 19 |
by hashing (so that essentially really only the creation costs time). |
| 20 |
|
| 21 |
As mentioned, I do not have actual timing results. I am just afraid |
| 22 |
that it might easily cost more than a context-switch which already |
| 23 |
gives a slowdown for fuse-overlay which is so large that I would |
| 24 |
not recommend it for a sandbox. |
| 25 |
|
| 26 |
> Now, I am concerned about the time to create the container, if we're |
| 27 |
> going to specify individual files, but the same would be true of an |
| 28 |
> overlay. [...] |
| 29 |
> to populate an overlayfs with just that specific list of files. |
| 30 |
|
| 31 |
No. For overlay you need only one mount (not even a bind) |
| 32 |
and only one directory traversal at the end to check for |
| 33 |
violations. |
| 34 |
The nice thing is that this is practically independent of |
| 35 |
the number or structure of directories/files you want to protect, |
| 36 |
i.e. it scales perfectly well. |
| 37 |
For the more fine-grained approach, you just delete the files |
| 38 |
you do not want to have in the beginning. Not sure, how quick this |
| 39 |
can be done, but once it is done, the slowdown when running the |
| 40 |
sandbox is independent of the number of deleted files (because |
| 41 |
here certainly only one hash lookup is required). |
| 42 |
|
| 43 |
Of course, as mgorny already observed, overlay alone is not an |
| 44 |
absolute protection (e.g. against writing to some /dev/...), |
| 45 |
so perhaps it is a good idea to use containers as an additional |
| 46 |
protection level. |
| 47 |
|
| 48 |
> If you just replicate the current sandbox |
| 49 |
> functionality then setup time is tiny |
| 50 |
|
| 51 |
I am not so much concerned about the setup time but more about the |
| 52 |
delay caused for file operations once the sandbox is set up. |
| 53 |
Perhaps even a dozen bind directories already give a considerable |
| 54 |
slowdown... |
Archives