| 1 |
---------
|
| 2 |
about
|
| 3 |
---------
|
| 4 |
|
| 5 |
Sandbox is a library (and helper utility) to run programs in a "sandboxed"
|
| 6 |
environment. This is used as a QA measure to try and prevent applications from
|
| 7 |
modifying files they should not.
|
| 8 |
|
| 9 |
For example, in the Gentoo world we use it so we can build applications as root
|
| 10 |
and make sure that the build system does not do crazy things outside of its
|
| 11 |
build directory. Such as install files to the live root file system or modify
|
| 12 |
config files on the fly.
|
| 13 |
|
| 14 |
For people who are familiar with the Debian "fakeroot" project or the RPM based
|
| 15 |
"InstallWatch", sandbox is in the same vein of projects.
|
| 16 |
|
| 17 |
----------
|
| 18 |
method
|
| 19 |
----------
|
| 20 |
|
| 21 |
The way sandbox works is that you prime a few environment variables (in order
|
| 22 |
to control the sandbox's behavior) and then stick it into the LD_PRELOAD
|
| 23 |
variable. Then when the ELF loader runs, it will first load the sandbox
|
| 24 |
library. Whenever an applications makes a library call that we have wrapped,
|
| 25 |
we'll check the arguments against the environment settings. Based on that, any
|
| 26 |
access that is not permitted is logged and we return an error to the
|
| 27 |
application. Any access that is permitted is of course forwarded along to the
|
| 28 |
real C library.
|
Parent Directory
| 
Revision Log