[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[task #15701] Sandboxing the execution of the project
From: |
Mohammadreza Khellat |
Subject: |
[task #15701] Sandboxing the execution of the project |
Date: |
Thu, 30 Jul 2020 02:32:47 -0400 (EDT) |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 |
Follow-up Comment #12, task #15701 (project reproduce):
Thanks for the discussion Mohammad :-)
Yeah, I completely agree. LFS is a good approach and with proper fine-tuning,
it could become minimal and robust.
I think, with this approach, this is what you have in mind:
* build the basic structure required for LFS without root privileges and
capabilities
* restricting filesystem access of the rest of the project scripts to the
project directory using a user namespace and a nice chroot which uses the
built LFS.
unshare -U -r bash
chroot "$LFS" <LFS_ROOT>/bin/env -i HOME=<LFS_ROOT> TERM="$TERM" PS1='\u:\w\$
' PATH=<LFS_PATH_VAR> <LFS_ROOT>/bin/bash --login +h
* and from now on the rest of the project script is run inside this chroot
environment without filesystem access to anything outside the project
directory.
Please correct me if I have assumed anything not inline with the existing
plan.
----
P.S. As someone with tendency towards a theoretical mindset and
being always in awe of self-consistent constructs ;-), if I wanted to perfect
this approach, I would have slightly modified the first step:
* I would have tried to build the LFS itself inside a minimal chroot'd
environment composed of the minimal things that you would need from the
existing host OS to build that nice-looking LFS construct. :-)
_______________________________________________________
Reply to this item at:
<https://savannah.nongnu.org/task/?15701>
_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/
- [task #15701] Sandboxing the execution of the project, Mohammadreza Khellat, 2020/07/05
- [task #15701] Sandboxing the execution of the project, Mohammad Akhlaghi, 2020/07/05
- [task #15701] Sandboxing the execution of the project, Mohammad Akhlaghi, 2020/07/05
- [task #15701] Sandboxing the execution of the project, Mohammadreza Khellat, 2020/07/29
- [task #15701] Sandboxing the execution of the project, Mohammad Akhlaghi, 2020/07/29
- [task #15701] Sandboxing the execution of the project, Mohammadreza Khellat, 2020/07/29
- [task #15701] Sandboxing the execution of the project, Mohammad Akhlaghi, 2020/07/29
- [task #15701] Sandboxing the execution of the project,
Mohammadreza Khellat <=
- [task #15701] Sandboxing the execution of the project, Mohammad Akhlaghi, 2020/07/30