Find the answer to your Linux question:
Results 1 to 3 of 3
I am trying to sandbox an application in such a way that none of it's filesystem operations are actually committed to disk. Reads should come from disk, writes should be ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Enthusiast
    Join Date
    Apr 2004
    Location
    UK
    Posts
    703

    Making a filesystem sandbox


    I am trying to sandbox an application in such a way that none of it's filesystem operations are actually committed to disk. Reads should come from disk, writes should be cached for the lifetime of the app and re-reads and re-writes should happen in the cache. Once the app exits, its changes can be discarded (although it'd be really neat if I could examine the cache after and extract particular files.

    What I would like is something like vsound that will hook particular operations and redirect them transparently, but I have never heard of such a thing and google mostly returns sandbox pages on various wikis.

    I've tried kludging something together with unionfs and chroot, as follows.

    Code:
    $ df
    Filesystem           1K-blocks Used Available Use% Mounted on
    /dev/hda1             10317828   3490912   6302800  36% /
    <snip>
    /dev/hda3             27103148   4293500  21432880  17% /home
    $ mkdir sandbox
    $ mkdir sandbox_data
    $ sudo mount -t unionfs -o dirs=/=ro unionfs ./sandbox
    This gets me close but because the home directory is on another partition it isn't available through unionfs and I trying to mount the home directory with another unionfs operation gives an error.

    Code:
    $ sudo mount -t unionfs -o dirs=/home=ro:/home/chris/sandbox_data=rw unionfs /home/chris/sandbox
    mount: wrong fs type, bad option, bad superblock on unionfs,
           missing codepage or other error
           In some cases useful info is found in syslog - try
           dmesg | tail  or so
    $ dmesg | tail
    [17184188.800000] unionfs: branches 0 and 1 overlap
    [17184188.800000] unionfs_read_super: error while parsing options (err = -22)
    So unionfs seems to be a wash. It wouldn't give me what I want anyway because I'd still need to be root to chroot to the sandbox and I want this to be available to ordinary users.

    Any suggestions?

    Chris...
    To be good, you must first be bad. "Newbie" is a rank, not a slight.

  2. #2
    Linux Enthusiast
    Join Date
    Apr 2004
    Location
    UK
    Posts
    703
    Some further hacking and I've managed to make the unionfs sandbox work. Part of the problem seems to be where I having the sandbox data on the partition I was trying to virtualise.

    Code:
    mkdir /sandbox
    mount /dev/hda1 /sandbox
    mkdir /tmp/sandbox_data
    mount -t unionfs -o dirs=/tmp/sandbox_data=rw:/home=ro unionfs /sandbox/home/
    chroot /sandbox su - chris bash
    And now bash is running in my sandbox. Still not the solution I want because it requires root permissions to chroot the sandboxed app, it can't sandbox multiple applications seperately and any files the app creates are commited to disk.

    All in all a pretty substandard solution so my previous question still stands. Does anyone know of a simple sandboxing application?

    Chris...
    To be good, you must first be bad. "Newbie" is a rank, not a slight.

  3. #3
    Linux Newbie burntfuse's Avatar
    Join Date
    Nov 2006
    Location
    Laurel, MD
    Posts
    158
    Hmmm, seems like this is something that would be better suited to a new filesystem. If you wrote a kernel module for it, I'm sure it would be useful for other people too.
    I have sold my soul to the penguin

  4. $spacer_open
    $spacer_close

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •