* [gentoo-dev] An example overlayfs sandbox test
@ 2017-09-22 23:43 99% James McMechan
0 siblings, 0 replies; 1+ results
From: James McMechan @ 2017-09-22 23:43 UTC (permalink / raw
To: gentoo-dev@lists.gentoo.org
[-- Attachment #1: Type: text/plain, Size: 1220 bytes --]
Hello,
I thought a example of how a overlay sandbox could work was in order.
###
# load the overlayfs filesystem for this test
modprobe overlay
# make the directories for the test
mkdir -p /var/tmp/upper /var/tmp/work /mnt/gentoo
# now create a separate mount namespace non-persistent
unshare -m bash
# setup the overlay
mount -toverlay -oupperdir=/var/tmp/upper/,workdir=/var/tmp/work/,lowerdir=/ overlay /mnt/gentoo/
# since I don't care about protecting /var/tmp/portage
# put the original on top of the overlay for better performance maybe?
mount -o bind /var/tmp/portage /mnt/gentoo/var/tmp/portage
# then like the handbook
cd /mnt/gentoo
mount -t proc proc proc
mount --rbind /sys sys
mount --rbind /dev dev
#finally change into the protected sandbox
chroot . bash
# mess up the system
exit # the chroot
exit # the unshare
### done.
This version allows the sandbox to work with the special files in /dev, /proc, /sys
other options are available for example a second separate dev/pts and dev/shm submounts
When you exit the chroot and then the unshare, the /var/tmp/upper directory will contain all the changes made while in the chroot.
Enjoy,
Jim McMechan
[-- Attachment #2: Type: text/html, Size: 2014 bytes --]
^ permalink raw reply [relevance 99%]
Results 1-1 of 1 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2017-09-22 23:43 99% [gentoo-dev] An example overlayfs sandbox test James McMechan
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox