esy-issues icon indicating copy to clipboard operation
esy-issues copied to clipboard

Published 20 hours ago verified publisher icon jordwalke

Proper sandbox mechanism

Open andreypopp opened this issue 8 years ago • 4 comments

Nix uses sandbox-exec on macOS and something on Linux (cgroups?) to catch sandbox violations. We should do the same.

What we need is to allow writes only to $cur__target_dir and $cur__install and reads from some whitelisted locations + dependencies' installation locations.

andreypopp avatar Dec 30 '16 11:12 andreypopp

Got support for that on macOS in #17. If anyone works on Linux and has knowledge of Linux namespaces — they are invited to help me with that!

andreypopp avatar Jan 02 '17 10:01 andreypopp

One thing we can try on linux is to create two mount points for the subprocess -- one for the entire filesystem and one for $cur__root. Then use chroot before executing the command, so something like:

mount --bind / /tmp/chroot_for_esy
mount -o remount,ro /tmp/chroot_for_esy 
mount --bind $cur_root /tmp/chroot_for_esy/$cur_root  # make cur_root writable

I've never tried anything like this so not sure if this approach would work.

yunxing avatar Jan 03 '17 00:01 yunxing

@yunxing does mount --bind require root? That would be a downside if so.

I was thinking of namespaces on Linux to get the same level of isolation as #17 implements on macOS — allow writes into $cur__install and $cur__target_dir only. That would be a good start as it will make build caching safe.

andreypopp avatar Jan 03 '17 09:01 andreypopp

@andreypopp namespaces on Linux uses mount. I can experiment with that a bit.

yunxing avatar Jan 03 '17 21:01 yunxing