Making a filesystem sandbox

[kakariko81280]

I am trying to sandbox an application in such a way that none of it's filesystem operations are actually committed to disk. Reads should come from disk, writes should be cached for the lifetime of the app and re-reads and re-writes should happen in the cache. Once the app exits, its changes can be discarded (although it'd be really neat if I could examine the cache after and extract particular files.

What I would like is something like vsound that will hook particular operations and redirect them transparently, but I have never heard of such a thing and google mostly returns sandbox pages on various wikis.

I've tried kludging something together with unionfs and chroot, as follows.

Code:

$ df
Filesystem           1K-blocks Used Available Use% Mounted on
/dev/hda1             10317828   3490912   6302800  36% /
<snip>
/dev/hda3             27103148   4293500  21432880  17% /home
$ mkdir sandbox
$ mkdir sandbox_data
$ sudo mount -t unionfs -o dirs=/=ro unionfs ./sandbox

This gets me close but because the home directory is on another partition it isn't available through unionfs and I trying to mount the home directory with another unionfs operation gives an error.

Code:

$ sudo mount -t unionfs -o dirs=/home=ro:/home/chris/sandbox_data=rw unionfs /home/chris/sandbox
mount: wrong fs type, bad option, bad superblock on unionfs,
       missing codepage or other error
       In some cases useful info is found in syslog - try
       dmesg | tail  or so
$ dmesg | tail
[17184188.800000] unionfs: branches 0 and 1 overlap
[17184188.800000] unionfs_read_super: error while parsing options (err = -22)

So unionfs seems to be a wash. It wouldn't give me what I want anyway because I'd still need to be root to chroot to the sandbox and I want this to be available to ordinary users.

Any suggestions?

Chris...

[kakariko81280]

Some further hacking and I've managed to make the unionfs sandbox work. Part of the problem seems to be where I having the sandbox data on the partition I was trying to virtualise.

Code:

mkdir /sandbox
mount /dev/hda1 /sandbox
mkdir /tmp/sandbox_data
mount -t unionfs -o dirs=/tmp/sandbox_data=rw:/home=ro unionfs /sandbox/home/
chroot /sandbox su - chris bash

And now bash is running in my sandbox. Still not the solution I want because it requires root permissions to chroot the sandboxed app, it can't sandbox multiple applications seperately and any files the app creates are commited to disk.

All in all a pretty substandard solution so my previous question still stands. Does anyone know of a simple sandboxing application?

Chris...

[burntfuse]

Hmmm, seems like this is something that would be better suited to a new filesystem. If you wrote a kernel module for it, I'm sure it would be useful for other people too.