| View previous topic :: View next topic |
| Author |
Message |
Erlend
Guru
Joined: 26 Dec 2004
Posts: 493
|
 Posted: Sat Feb 05, 2011 11:26 am Post subject: Using unionfs to sandbox your system? |
 |
|
I've been wondering about this for a while now.
It should, in principle, be possible to use unionfs and mounting of tmpfs devices to effectively sandbox your system, so that your system on disk is read-only and writes are sent to tmpfs.
E.g
mount -t tmpfs none /mnt/tmpfs
mount -t unionfs -o dirs=/mnt/tmpfs=rw:/=ro unionfs /
(or equivalently using one of the fuse-based unionfs implementations)
The trouble is this doesn't work, I think because I'm trying to mount over an existing mount-point (/).
Has anybody here tried this? Is there a better way to do it? I seems to me like it might be better than chroot for sandboxing the system.
Thanks,
Erlend
_________________
Thunar-thumbnailers
Raw-thumbnailer
http://brainstorm.ubuntu.com/idea/6878/image/1/ |
|
| Back to top |
|
 |
gerdesj
l33t
Joined: 29 Sep 2005
Posts: 622
Location: Yeovil, Somerset, UK
|
| Posted: Sun Feb 06, 2011 3:51 am Post subject: Re: Using unionfs to sandbox your system? |
|
|
Perhaps you should tell us what you are trying to achieve with this manoeuvre.
Sandboxes are designed to quarantine parts of a system. I suspect you will be disappointed trying to do that to the whole system.
Cheers
Jon |
|
| Back to top |
|
|
Erlend
Guru
Joined: 26 Dec 2004
Posts: 493
|
| Posted: Sun Feb 06, 2011 11:00 am Post subject: |
|
|
Here's a better example of what I'm trying to do,
I have many parts of my system on different partitions (/tmp /home /var and so on). Now say I want to run some binary I don't trust, so I don't want it deleting my home directory (but at the same time I'd like to capture some of the changes it's making in /mnt/tmpfs).
| Code: |
unionfs -o cow,stats,allow_other,nonempty /mnt/tmpfs=RW:/home=RO /home |
This just causes things to lock-up, I can no longer 'ls /home' until I force umount the unionfs mount.
_________________
Thunar-thumbnailers
Raw-thumbnailer
http://brainstorm.ubuntu.com/idea/6878/image/1/ |
|
| Back to top |
|
|
gerdesj
l33t
Joined: 29 Sep 2005
Posts: 622
Location: Yeovil, Somerset, UK
|
| Posted: Mon Feb 07, 2011 12:14 am Post subject: |
|
|
OK - sorry for my flippant response, I see what you are doing. It sounds similar to the way some Live distros work on a DVD + USB stick or even purely on the USB stick.
In your example though, I'd use a VM. They are so easy to run up using libvirt. That way you have full control over what it does.
You probably want to have /tmp mounted on a tmpfs anyway as a matter of course - it gets wiped by the init scripts at shutdown anyway.
I haven't tried out unionfs yet, so will try some experiments.
EDIT: Before I start - which UnionFS are you using! There's a kernel based one, a FUSE one and AUFS at least to choose from.
Cheers
Jon |
|
| Back to top |
|
|
Erlend
Guru
Joined: 26 Dec 2004
Posts: 493
|
| Posted: Mon Feb 07, 2011 12:48 am Post subject: |
|
|
| gerdesj wrote: | OK - sorry for my flippant response, I see what you are doing. It sounds similar to the way some Live distros work on a DVD + USB stick or even purely on the USB stick.
|
No worries, and yes it's very similar to the LiveCD behaviour.
| gerdesj wrote: |
In your example though, I'd use a VM. They are so easy to run up using libvirt. That way you have full control over what it does.
|
I have used a virtual machine before via VirtualBox. It seems a bit of a heavy solution for what I'm trying here I think.
| gerdesj wrote: |
You probably want to have /tmp mounted on a tmpfs anyway as a matter of course - it gets wiped by the init scripts at shutdown anyway.
|
I've been considering mounting /tmp on a tmpfs actually, I have 6GB of RAM so I could spare 1GB for /tmp I guess.
| gerdesj wrote: |
I haven't tried out unionfs yet, so will try some experiments.
EDIT: Before I start - which UnionFS are you using! There's a kernel based one, a FUSE one and AUFS at least to choose from.
|
I'm using the unionfs-fuse one because the kernel one comes as a module which isn't compatible with the newer 2.6.x kernels.
Thanks,
Erlend
_________________
Thunar-thumbnailers
Raw-thumbnailer
http://brainstorm.ubuntu.com/idea/6878/image/1/ |
|
| Back to top |
|
|
gerdesj
l33t
Joined: 29 Sep 2005
Posts: 622
Location: Yeovil, Somerset, UK
|
| Posted: Mon Feb 07, 2011 1:14 am Post subject: |
|
|
You have a shed load of RAM! tmpfs will only use whatever you put in it so you don't have to permanently set aside RAM for it. Mine is currently using 224Kb and my laptop has been running for several days now.
Just pop this in fstab:
| Code: |
none /tmp tmpfs noatime 0 0
|
I'm not sure but I think it is clever enough to spill over onto the physical filesystem if need be.
Cheers
Jon |
|
| Back to top |
|
|
|
Networking & Security
