|
Lines 4-27
Link Here
|
| 4 |
environment. This is used as a QA measure to try and prevent applications from |
4 |
environment. This is used as a QA measure to try and prevent applications from |
| 5 |
modifying files they should not. |
5 |
modifying files they should not. |
| 6 |
|
6 |
|
| 7 |
For example, in the Gentoo world we use it so we can build applications as root |
7 |
For example, in the Gentoo world we use it to build applications as root |
| 8 |
and make sure that the build system does not do crazy things outside of its |
8 |
while making sure that the build system does not do crazy things outside of its |
| 9 |
build directory. Such as install files to the live root file system or modify |
9 |
build directory (such as install files to the live root file system or modify |
| 10 |
config files on the fly. |
10 |
config files on the fly). |
| 11 |
|
11 |
|
| 12 |
For people who are familiar with the Debian "fakeroot" project or the RPM based |
12 |
For people who are familiar with the Debian "fakeroot" project or the RPM based |
| 13 |
"InstallWatch", sandbox is in the same vein of projects. |
13 |
"InstallWatch", sandbox is in the same vein of projects. |
| 14 |
|
14 |
|
| 15 |
## Method |
15 |
## Method |
| 16 |
|
16 |
|
| 17 |
The way sandbox works is that you prime a few environment variables (in order |
17 |
Sandbox works by priming a few environment variables (in order to control |
| 18 |
to control the sandbox's behavior) and then stick it into the LD_PRELOAD |
18 |
the sandbox's behavior) then inserting its own libsandbox.so into |
| 19 |
variable. Then when the ELF loader runs, it will first load the sandbox |
19 |
the LD_PRELOAD variable. This will cause the ELF loader to first load |
| 20 |
library. Whenever an applications makes a library call that we have wrapped, |
20 |
the sandbox library. Whenever an application makes a library call that |
| 21 |
we'll check the arguments against the environment settings. Based on that, any |
21 |
has been wrapped, the arguments will be checked against the environment |
| 22 |
access that is not permitted is logged and we return an error to the |
22 |
settings. Based on that, any access that is not permitted is logged and |
| 23 |
application. Any access that is permitted is of course forwarded along to the |
23 |
will return an error to the application. Any access that is permitted |
| 24 |
real C library. |
24 |
will, of course, be forwarded along to the real C library. |
| 25 |
|
25 |
|
| 26 |
Static ELFs and setuid/setgid programs are executed with |
26 |
Static ELFs and setuid/setgid programs are executed with |
| 27 |
[ptrace()](https://man7.org/linux/man-pages/man2/ptrace.2.html) instead. |
27 |
[ptrace()](https://man7.org/linux/man-pages/man2/ptrace.2.html) instead. |
|
Lines 76-78
Link Here
|
| 76 |
* [Linux](https://kernel.org/) 3.8+ |
76 |
* [Linux](https://kernel.org/) 3.8+ |
| 77 |
* C library |
77 |
* C library |
| 78 |
* They all should work! |
78 |
* They all should work! |
|
|
79 |
|
| 80 |
## Documentation |
| 81 |
|
| 82 |
A manual page is not currently available, but a list of command-line options |
| 83 |
with descriptive text can be obtained by executing `sandbox --help`. |
| 84 |
|
| 85 |
Additional options are read from `/etc/sandbox.conf` and files in |
| 86 |
`/etc/sandbox.d/`. A list of items that can appear in these files |
| 87 |
along with a description can be found in the `/etc/sandbox.conf` file |
| 88 |
that is included with the sandbox application. |
