Making a filesystem sandbox
I am trying to sandbox an application in such a way that none of it's filesystem operations are actually committed to disk. Reads should come from disk, writes should be cached for the lifetime of the app and re-reads and re-writes should happen in the cache. Once the app exits, its changes can be discarded (although it'd be really neat if I could examine the cache after and extract particular files.
What I would like is something like vsound that will hook particular operations and redirect them transparently, but I have never heard of such a thing and google mostly returns sandbox pages on various wikis.
I've tried kludging something together with unionfs and chroot, as follows.
Code:
$ df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/hda1 10317828 3490912 6302800 36% /
<snip>
/dev/hda3 27103148 4293500 21432880 17% /home
$ mkdir sandbox
$ mkdir sandbox_data
$ sudo mount -t unionfs -o dirs=/=ro unionfs ./sandbox
This gets me close but because the home directory is on another partition it isn't available through unionfs and I trying to mount the home directory with another unionfs operation gives an error.
Code:
$ sudo mount -t unionfs -o dirs=/home=ro:/home/chris/sandbox_data=rw unionfs /home/chris/sandbox
mount: wrong fs type, bad option, bad superblock on unionfs,
missing codepage or other error
In some cases useful info is found in syslog - try
dmesg | tail or so
$ dmesg | tail
[17184188.800000] unionfs: branches 0 and 1 overlap
[17184188.800000] unionfs_read_super: error while parsing options (err = -22)
So unionfs seems to be a wash. It wouldn't give me what I want anyway because I'd still need to be root to chroot to the sandbox and I want this to be available to ordinary users.
Any suggestions?
Chris...
