blob: 1bbc6e67c88f2edee7fcb1527a590ed58c4f264c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
---------
about
---------
Sandbox is a library (and helper utility) to run programs in a "sandboxed"
environment. This is used as a QA measure to try and prevent applications from
modifying files they should not.
For example, in the Gentoo world we use it so we can build applications as root
and make sure that the build system does not do crazy things outside of its
build directory. Such as install files to the live root file system or modify
config files on the fly.
For people who are familiar with the Debian "fakeroot" project or the RPM based
"InstallWatch", sandbox is in the same vein of projects.
----------
method
----------
The way sandbox works is that you prime a few environment variables (in order
to control the sandbox's behavior) and then stick it into the LD_PRELOAD
variable. Then when the ELF loader runs, it will first load the sandbox
library. Whenever an applications makes a library call that we have wrapped,
we'll check the arguments against the environment settings. Based on that, any
access that is not permitted is logged and we return an error to the
application. Any access that is permitted is of course forwarded along to the
real C library.
|
GitWeb
