1 |
On Thursday 08 August 2002 06:09, Charles Lacour wrote: |
2 |
> |
3 |
> I'd also like to get (and am willing to pay for with documentation of same) |
4 |
> an explanation of what exactly it is that sandbox does. (And probably a |
5 |
> couple of other pieces of portage.) |
6 |
> |
7 |
> I know it keeps things from messing with the real filesystem, but _how_, |
8 |
> specifically? It's much harder to figure out why you're having a problem |
9 |
> with something when you have no idea what it's doing. |
10 |
> |
11 |
> Since quasi-teaching somebody a language via email and such is not real |
12 |
> high on many people's list of fun things to do, I'll also put in a request |
13 |
> for any good online tutorials on doing Python. (And if the doc for portage |
14 |
> still needs to be done once I've mastered it, I'll be willing to help.) |
15 |
|
16 |
In short, sandbox replaces a number of glibc functions that concern the |
17 |
filesystem. Examples of those functions are: fopen, mkdir, link, rename, etc. |
18 |
All those functions are replaced with functions that check the place of the |
19 |
file in the filesystem, and based on certain environment variables deny or |
20 |
allow access to the functions. Because libsandbox.so is put in the |
21 |
/lib/ld.so.preload file, all programs run first load this libsandbox before |
22 |
anything else. This allows for the replacement of the glibc functions. BTW. |
23 |
electric fence for example does the same trick on different functions |
24 |
(malloc). |
25 |
|
26 |
Paul |
27 |
|
28 |
btw. I don't believe it is nescesarry to understand python to write ebuilds as |
29 |
they are written entirely in bash. |
30 |
|
31 |
-- |
32 |
Paul de Vrieze |
33 |
Junior Researcher |
34 |
Mail: pauldv@××××××.nl |
35 |
Homepage: http://www.devrieze.net |