| 1 |
On Thursday 08 August 2002 06:09, Charles Lacour wrote: |
| 2 |
> |
| 3 |
> I'd also like to get (and am willing to pay for with documentation of same) |
| 4 |
> an explanation of what exactly it is that sandbox does. (And probably a |
| 5 |
> couple of other pieces of portage.) |
| 6 |
> |
| 7 |
> I know it keeps things from messing with the real filesystem, but _how_, |
| 8 |
> specifically? It's much harder to figure out why you're having a problem |
| 9 |
> with something when you have no idea what it's doing. |
| 10 |
> |
| 11 |
> Since quasi-teaching somebody a language via email and such is not real |
| 12 |
> high on many people's list of fun things to do, I'll also put in a request |
| 13 |
> for any good online tutorials on doing Python. (And if the doc for portage |
| 14 |
> still needs to be done once I've mastered it, I'll be willing to help.) |
| 15 |
|
| 16 |
In short, sandbox replaces a number of glibc functions that concern the |
| 17 |
filesystem. Examples of those functions are: fopen, mkdir, link, rename, etc. |
| 18 |
All those functions are replaced with functions that check the place of the |
| 19 |
file in the filesystem, and based on certain environment variables deny or |
| 20 |
allow access to the functions. Because libsandbox.so is put in the |
| 21 |
/lib/ld.so.preload file, all programs run first load this libsandbox before |
| 22 |
anything else. This allows for the replacement of the glibc functions. BTW. |
| 23 |
electric fence for example does the same trick on different functions |
| 24 |
(malloc). |
| 25 |
|
| 26 |
Paul |
| 27 |
|
| 28 |
btw. I don't believe it is nescesarry to understand python to write ebuilds as |
| 29 |
they are written entirely in bash. |
| 30 |
|
| 31 |
-- |
| 32 |
Paul de Vrieze |
| 33 |
Junior Researcher |
| 34 |
Mail: pauldv@××××××.nl |
| 35 |
Homepage: http://www.devrieze.net |
Archives