1 |
On Thu, Mar 8, 2018 at 7:06 PM, Rich Freeman <rich0@g.o> wrote: |
2 |
> On Thu, Mar 8, 2018 at 7:46 PM, Benda Xu <heroxbd@g.o> wrote: |
3 |
>> Rich Freeman <rich0@g.o> writes: |
4 |
>> |
5 |
>>> If you have util-linux installed then try running (as any user - you |
6 |
>>> don't have to be root): unshare -i -m -n -p -u -C -f --mount-proc -U |
7 |
>>> -r /bin/bash |
8 |
>>> |
9 |
>>> Congrats. You are now root in a container. You're in the same root |
10 |
>>> filesystem as always. You'll note that you can't actually see |
11 |
>>> anything that you couldn't see before. If you run ps -ea you'll see |
12 |
>>> that you're the only process running on the system. Devices like |
13 |
>>> /dev/sda aren't actually accessible. A lot of container managers |
14 |
>>> would mount a new /dev and just hide most of that stuff. You can |
15 |
>>> probably imagine how something like this could be useful for isolating |
16 |
>>> processes. |
17 |
>> |
18 |
>> Just a side node, this seems to be the ultimate sandbox we (Gentoo and |
19 |
>> portage) are after. With this, we might even be able to have portage |
20 |
>> full functional: a build is completely determined and only determined by |
21 |
>> the dependencies and USE flags. |
22 |
>> |
23 |
> |
24 |
> I'm not sure how well this would perform, but I had given this a bit |
25 |
> of thought a few years ago. There are two obvious ways to go about |
26 |
> this: the sandbox or containers. |
27 |
> |
28 |
|
29 |
It may be possible to use fanotify(7) (but this would only catch disk |
30 |
access). There is an extension to fanotify created as someone's thesis |
31 |
(http://lkml.iu.edu/hypermail/linux/kernel/1703.1/05249.html) that |
32 |
allows recursive watches. One of the features of fanotify is that it |
33 |
is possible to deny the events generated. The fanotify API may |
34 |
simplify the application of the generated rules. It was designed to be |
35 |
fast, and most processing is done in the kernel when calls are made. |
36 |
|
37 |
Sadly interest in the patches seems to have waned. The functionality |
38 |
is not exactly duplicated in containers, but they do make it easier to |
39 |
find changes. |