Gentoo Archives: gentoo-dev

From: James McMechan <james_mcmechan@×××××××.com>
To: "gentoo-dev@l.g.o" <gentoo-dev@l.g.o>
Subject: [gentoo-dev] An example overlayfs sandbox test
Date: Fri, 22 Sep 2017 23:43:57
I thought a example of how a overlay sandbox could work was in order.

# load the overlayfs filesystem for this test
modprobe overlay

# make the directories for the test
mkdir -p /var/tmp/upper /var/tmp/work /mnt/gentoo

# now create a separate mount namespace non-persistent
unshare -m bash

# setup the overlay
mount -toverlay -oupperdir=/var/tmp/upper/,workdir=/var/tmp/work/,lowerdir=/ overlay /mnt/gentoo/

# since I don't care about protecting /var/tmp/portage
# put the original on top of the overlay for better performance maybe?
mount -o bind /var/tmp/portage /mnt/gentoo/var/tmp/portage

# then like the handbook
cd /mnt/gentoo
mount -t proc proc proc
mount --rbind /sys sys
mount --rbind /dev dev

#finally change into the protected sandbox
chroot . bash

# mess up the system

exit # the chroot
exit # the unshare
### done.

This version allows the sandbox to work with the special files in /dev, /proc, /sys
other options are available for example a second separate dev/pts and dev/shm submounts

When you exit the chroot and then the unshare, the /var/tmp/upper directory will contain all the changes made while in the chroot.


Jim McMechan


Subject Author
Re: [gentoo-dev] An example overlayfs sandbox test Rich Freeman <rich0@g.o>
Re: [gentoo-dev] An example overlayfs sandbox test Alec Warner <antarus@g.o>
Re: [gentoo-dev] An example overlayfs sandbox test "Michał Górny" <mgorny@g.o>