W dniu pią, 22.09.2017 o godzinie 23∶43 +0000, użytkownik James McMechan napisał: > Hello, > I thought a example of how a overlay sandbox could work was in order. > > ### > # load the overlayfs filesystem for this test > modprobe overlay > > # make the directories for the test > mkdir -p /var/tmp/upper /var/tmp/work /mnt/gentoo > > # now create a separate mount namespace non-persistent > unshare -m bash > > # setup the overlay > mount -toverlay -oupperdir=/var/tmp/upper/,workdir=/var/tmp/work/,lowerdir=/ > overlay /mnt/gentoo/ > > # since I don't care about protecting /var/tmp/portage > # put the original on top of the overlay for better performance maybe? > mount -o bind /var/tmp/portage /mnt/gentoo/var/tmp/portage > > # then like the handbook > cd /mnt/gentoo > mount -t proc proc proc > mount --rbind /sys sys > mount --rbind /dev dev > > #finally change into the protected sandbox > chroot . bash > > # mess up the system > > exit # the chroot > exit # the unshare > ### done. > > This version allows the sandbox to work with the special files in /dev, > /proc, /sys > other options are available for example a second separate dev/pts and dev/shm > submounts > > When you exit the chroot and then the unshare, the /var/tmp/upper directory > will contain all the changes made while in the chroot. >
How does that deal with access violations to device nodes? Named pipes, UNIX sockets? -- Best regards, Michał Górny
