1 |
W dniu pią, 22.09.2017 o godzinie 23∶43 +0000, użytkownik James McMechan |
2 |
napisał: |
3 |
> Hello, |
4 |
> I thought a example of how a overlay sandbox could work was in order. |
5 |
> |
6 |
> ### |
7 |
> # load the overlayfs filesystem for this test |
8 |
> modprobe overlay |
9 |
> |
10 |
> # make the directories for the test |
11 |
> mkdir -p /var/tmp/upper /var/tmp/work /mnt/gentoo |
12 |
> |
13 |
> # now create a separate mount namespace non-persistent |
14 |
> unshare -m bash |
15 |
> |
16 |
> # setup the overlay |
17 |
> mount -toverlay -oupperdir=/var/tmp/upper/,workdir=/var/tmp/work/,lowerdir=/ overlay /mnt/gentoo/ |
18 |
> |
19 |
> # since I don't care about protecting /var/tmp/portage |
20 |
> # put the original on top of the overlay for better performance maybe? |
21 |
> mount -o bind /var/tmp/portage /mnt/gentoo/var/tmp/portage |
22 |
> |
23 |
> # then like the handbook |
24 |
> cd /mnt/gentoo |
25 |
> mount -t proc proc proc |
26 |
> mount --rbind /sys sys |
27 |
> mount --rbind /dev dev |
28 |
> |
29 |
> #finally change into the protected sandbox |
30 |
> chroot . bash |
31 |
> |
32 |
> # mess up the system |
33 |
> |
34 |
> exit # the chroot |
35 |
> exit # the unshare |
36 |
> ### done. |
37 |
> |
38 |
> This version allows the sandbox to work with the special files in /dev, /proc, /sys |
39 |
> other options are available for example a second separate dev/pts and dev/shm submounts |
40 |
> |
41 |
> When you exit the chroot and then the unshare, the /var/tmp/upper directory will contain all the changes made while in the chroot. |
42 |
> |
43 |
|
44 |
How does that deal with access violations to device nodes? Named pipes, |
45 |
UNIX sockets? |
46 |
|
47 |
-- |
48 |
Best regards, |
49 |
Michał Górny |