mkbox

experiments with linux sandbox stuff
git clone http://frotz.net/git/mkbox.git
Log | Files | Refs | README

README (2061B)

      1 
      2 mkbox: an experiment in nonprivileged sandboxing in Linux
      3 ---------------------------------------------------------
      4 
      5 Requires kernel 3.12 or newer with CONFIG_USER_NS.
      6 
      7 Tested on Ubuntu 14.04 LTS / Linux 3.13.7.
      8 
      9 Huge thanks to Andy Lutomirski, who provided the roadmap in the form of
     10 a patch to Sandstorm (https://github.com/kentonv/sandstorm/pull/12) as
     11 well as kindly assisting with some early debugging as I fell into various
     12 pits he had previously explored.
     13 
     14 Disclaimer:  This is a toy built to learn about these APIs and is
     15 certainly incomplete, likely buggy, etc.  Use at your own risk.
     16 
     17 "make test" will build mkbox and create sandbox (which will be r/o /),
     18 and databox (which will be r/w /data), and copy /bin/busybox into
     19 sandbox/bin and create busybox's symlinks in there as well, then
     20 invoke: mkbox sandbox `pwd`/databox 
     21 
     22 computer$ id
     23 uid=1000(somebody) gid=1000(somebody) groups=1000(somebody)
     24 
     25 computer$ make test
     26 cc -Wall -O1 -g -o mkbox mkbox.c
     27 mkdir -p sandbox databox sandbox/bin
     28 cp /bin/busybox sandbox/bin
     29 chmod 755 sandbox/bin/busybox
     30 ( cd sandbox/bin && for x in $(busybox --list) ; do ln -fs busybox $x ; done )
     31 ./mkbox sandbox `pwd`/databox
     32 mkbox: pid=14259, child=14260
     33 
     34 
     35 BusyBox v1.21.1 (Ubuntu 1:1.21.0-1ubuntu1) built-in shell (ash)
     36 Enter 'help' for a list of built-in commands.
     37 
     38 / $ id
     39 uid=3333 gid=3333 groups=65534,3333
     40 
     41 / $ ls -l
     42 drwxrwxr-x    2 3333     3333          4096 Apr 27 04:34 bin
     43 drwxrwxr-x    2 3333     3333          4096 Apr 27 04:33 data
     44 drwxr-xr-x    2 3333     3333            80 Apr 27 04:34 dev
     45 
     46 
     47 /* in another shell */
     48 
     49 computer$ cat /proc/14259/mounts
     50 rootfs / rootfs rw 0 0
     51 /dev/root / ext3 ro,nosuid,noatime,errors=remount-ro,barrier=0,data=writeback 0 0
     52 /dev/root /data ext3 rw,noatime,errors=remount-ro,barrier=0,data=writeback 0 0
     53 sandbox-dev /dev tmpfs ro,nosuid,noexec,noatime,size=64k,nr_inodes=16,mode=755,uid=1000,gid=1000 0 0
     54 devtmpfs /dev/null devtmpfs rw,relatime,size=1019296k,nr_inodes=254824,mode=755 0 0
     55 devtmpfs /dev/zero devtmpfs rw,relatime,size=1019296k,nr_inodes=254824,mode=755 0 0
     56