| 1 |
W dniu pią, 22.09.2017 o godzinie 23∶43 +0000, użytkownik James McMechan |
| 2 |
napisał: |
| 3 |
> Hello, |
| 4 |
> I thought a example of how a overlay sandbox could work was in order. |
| 5 |
> |
| 6 |
> ### |
| 7 |
> # load the overlayfs filesystem for this test |
| 8 |
> modprobe overlay |
| 9 |
> |
| 10 |
> # make the directories for the test |
| 11 |
> mkdir -p /var/tmp/upper /var/tmp/work /mnt/gentoo |
| 12 |
> |
| 13 |
> # now create a separate mount namespace non-persistent |
| 14 |
> unshare -m bash |
| 15 |
> |
| 16 |
> # setup the overlay |
| 17 |
> mount -toverlay -oupperdir=/var/tmp/upper/,workdir=/var/tmp/work/,lowerdir=/ overlay /mnt/gentoo/ |
| 18 |
> |
| 19 |
> # since I don't care about protecting /var/tmp/portage |
| 20 |
> # put the original on top of the overlay for better performance maybe? |
| 21 |
> mount -o bind /var/tmp/portage /mnt/gentoo/var/tmp/portage |
| 22 |
> |
| 23 |
> # then like the handbook |
| 24 |
> cd /mnt/gentoo |
| 25 |
> mount -t proc proc proc |
| 26 |
> mount --rbind /sys sys |
| 27 |
> mount --rbind /dev dev |
| 28 |
> |
| 29 |
> #finally change into the protected sandbox |
| 30 |
> chroot . bash |
| 31 |
> |
| 32 |
> # mess up the system |
| 33 |
> |
| 34 |
> exit # the chroot |
| 35 |
> exit # the unshare |
| 36 |
> ### done. |
| 37 |
> |
| 38 |
> This version allows the sandbox to work with the special files in /dev, /proc, /sys |
| 39 |
> other options are available for example a second separate dev/pts and dev/shm submounts |
| 40 |
> |
| 41 |
> When you exit the chroot and then the unshare, the /var/tmp/upper directory will contain all the changes made while in the chroot. |
| 42 |
> |
| 43 |
|
| 44 |
How does that deal with access violations to device nodes? Named pipes, |
| 45 |
UNIX sockets? |
| 46 |
|
| 47 |
-- |
| 48 |
Best regards, |
| 49 |
Michał Górny |
Archives