Making a filesystem sandbox
I am trying to sandbox an application in such a way that none of it's filesystem operations are actually committed to disk. Reads should come from disk, writes should be cached for the lifetime of the app and re-reads and re-writes should happen in the cache. Once the app exits, its changes can be discarded (although it'd be really neat if I could examine the cache after and extract particular files.
What I would like is something like vsound that will hook particular operations and redirect them transparently, but I have never heard of such a thing and google mostly returns sandbox pages on various wikis.
I've tried kludging something together with unionfs and chroot, as follows.
This gets me close but because the home directory is on another partition it isn't available through unionfs and I trying to mount the home directory with another unionfs operation gives an error.
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/hda1 10317828 3490912 6302800 36% /
/dev/hda3 27103148 4293500 21432880 17% /home
$ mkdir sandbox
$ mkdir sandbox_data
$ sudo mount -t unionfs -o dirs=/=ro unionfs ./sandbox
So unionfs seems to be a wash. It wouldn't give me what I want anyway because I'd still need to be root to chroot to the sandbox and I want this to be available to ordinary users.
$ sudo mount -t unionfs -o dirs=/home=ro:/home/chris/sandbox_data=rw unionfs /home/chris/sandbox
mount: wrong fs type, bad option, bad superblock on unionfs,
missing codepage or other error
In some cases useful info is found in syslog - try
dmesg | tail or so
$ dmesg | tail
[17184188.800000] unionfs: branches 0 and 1 overlap
[17184188.800000] unionfs_read_super: error while parsing options (err = -22)