[Exherbo-dev] [RFC/PATCH 0/1] esandbox exec
alip at exherbo.org
Sat Oct 6 13:58:05 UTC 2012
Restarting services under sydbox is problematic. With the joining of
seccomp filters to the party, the issue gets even difficult. Once
applied, a seccomp filter can't be disabled thus it is not possible for
a sandboxed process to continue execution after sydbox exits.
This provides a good reason to implement an API to execute processes
without sandbox if required. I've added support for a simple one to
Basically sydbox-1 learned a magic command, namely cmd/exec. Upon
receiving this command sydbox-1 forks and changes directory to match the
process, reads the environment from /proc/$pid/environ and calls
The magic command is executed like:
$> sydbox -- sh -c "stat $(sydfmt exec echo hello world)"
Size: 0 Blocks: 0 IO Block: 512 character special file
Device: 0h/0d Inode: 0 Links: 0 Device type: 1,3
Access: (0666/crw-rw-rw-) Uid: ( 0/ root) Gid: ( 0/ root)
What `sydfmt' does is joining the program name and arguments, all
separated by US (unit separator character).
A patch follows adding support to Paludis.
After this change, it is easy to execute services from within
exhereseses. Whether it should be done or not is another topic of
discussion. For example to execute udevd from within an exheres, one
$> esandbox exec /sbin/udevd --daemon
That's it. No whitelisting, no resuming whatsoever.
Ali Polatel (1):
sydbox: add esandbox exec for sydbox-1
paludis/repositories/e/ebuild/sydbox.bash | 4 ++++
1 file changed, 4 insertions(+)
More information about the Exherbo-dev