public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed
Search results ordered by [date|relevance]  view[summary|nested|Atom feed]
thread overview below | download: 
* [gentoo-dev] An example overlayfs sandbox test
@ 2017-09-22 23:43 99% James McMechan
  0 siblings, 0 replies; 1+ results
From: James McMechan @ 2017-09-22 23:43 UTC (permalink / raw
  To: gentoo-dev@lists.gentoo.org

[-- Attachment #1: Type: text/plain, Size: 1220 bytes --]

Hello,
I thought a example of how a overlay sandbox could work was in order.

###
# load the overlayfs filesystem for this test
modprobe overlay

# make the directories for the test
mkdir -p /var/tmp/upper /var/tmp/work /mnt/gentoo

# now create a separate mount namespace non-persistent
unshare -m bash

# setup the overlay
mount -toverlay -oupperdir=/var/tmp/upper/,workdir=/var/tmp/work/,lowerdir=/ overlay /mnt/gentoo/

# since I don't care about protecting /var/tmp/portage
# put the original on top of the overlay for better performance maybe?
mount -o bind /var/tmp/portage /mnt/gentoo/var/tmp/portage

# then like the handbook
cd /mnt/gentoo
mount -t proc proc proc
mount --rbind /sys sys
mount --rbind /dev dev

#finally change into the protected sandbox
chroot . bash

# mess up the system

exit # the chroot
exit # the unshare
### done.

This version allows the sandbox to work with the special files in /dev, /proc, /sys
other options are available for example a second separate dev/pts and dev/shm submounts

When you exit the chroot and then the unshare, the /var/tmp/upper directory will contain all the changes made while in the chroot.

Enjoy,

Jim McMechan


[-- Attachment #2: Type: text/html, Size: 2014 bytes --]

^ permalink raw reply	[relevance 99%]

Results 1-1 of 1 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2017-09-22 23:43 99% [gentoo-dev] An example overlayfs sandbox test James McMechan

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox