[Exherbo-dev] [RFC/PATCH 0/1] esandbox exec

Ali Polatel alip at exherbo.org
Sat Oct 6 13:58:05 UTC 2012


Hello,

Restarting services under sydbox is problematic. With the joining of
seccomp filters to the party, the issue gets even difficult. Once
applied, a seccomp filter can't be disabled thus it is not possible for
a sandboxed process to continue execution after sydbox exits.

This provides a good reason to implement an API to execute processes
without sandbox if required. I've added support for a simple one to
sydbox-1 today.

Basically sydbox-1 learned a magic command, namely cmd/exec. Upon
receiving this command sydbox-1 forks and changes directory to match the
process, reads the environment from /proc/$pid/environ and calls
execvpe().

The magic command is executed like:
$> sydbox -- sh -c "stat $(sydfmt exec echo hello world)"
hello world
  File: ‘/dev/sydbox/cmd/exec!echo\037hello\037world’
  Size: 0               Blocks: 0          IO Block: 512    character special file
Device: 0h/0d   Inode: 0           Links: 0     Device type: 1,3
Access: (0666/crw-rw-rw-)  Uid: (    0/    root)   Gid: (    0/    root)
$>

What `sydfmt' does is joining the program name and arguments, all
separated by US (unit separator character).

A patch follows adding support to Paludis.

After this change, it is easy to execute services from within
exhereseses. Whether it should be done or not is another topic of
discussion. For example to execute udevd from within an exheres, one
can call:

$> esandbox exec /sbin/udevd --daemon

That's it. No whitelisting, no resuming whatsoever.
Comments?

Ali Polatel (1):
  sydbox: add esandbox exec for sydbox-1

 paludis/repositories/e/ebuild/sydbox.bash | 4 ++++
 1 file changed, 4 insertions(+)

-- 
1.7.12.1




More information about the Exherbo-dev mailing list