https://github.com/coreboot/encapsulate
https://github.com/coreboot/encapsulate
Last synced: about 1 year ago
JSON representation
- Host: GitHub
- URL: https://github.com/coreboot/encapsulate
- Owner: coreboot
- License: isc
- Created: 2020-02-14T07:45:39.000Z (about 6 years ago)
- Default Branch: master
- Last Pushed: 2020-08-26T15:10:21.000Z (over 5 years ago)
- Last Synced: 2025-01-02T23:46:22.983Z (over 1 year ago)
- Language: C
- Size: 9.77 KB
- Stars: 2
- Watchers: 6
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.markdown
- License: LICENSE
Awesome Lists containing this project
README
Encapsulate
===========
Linux utility to isolate a process and its children while providing a full environment easily.
Makes use of Linux's namespace capabilities and is thus totally unportable. It also might
require more Linux kernel options than you have enabled.
Usage
-----
`encapsulate writable-subtree|tree2|tree3|... command args...`
Isolation
---------
encapsulate:
* detaches itself (and its children) from the system's mount point table, IPC table, process ID table and network stack instance,
* mounts the current filesystem view to a temporary directory,
* marks it read-only,
* mounts the `writable-subtree`s (delimited by `|`) at its "native" location into the new directory hierarchy,
* chroots to the newly mounted root directory,
* chdirs to the current directory (but inside the chroot),
* setuids back to the current user,
* and finally calls `command` with `args`
A separate process waits for all this to finish and deletes the temporary directory afterwards.
The result is that `command` runs in a system similar to the real one with a couple of exceptions. First, only files below
`writable-subtree` are writable, everything else (including /tmp, unless that's the directory you choose) is read-only.
Second, `command` can't inspect many aspects of the system (such as currently running processes) or interact with processes
easily. Third, network is blocked, so if `command` attempts to run a spam-bot, it will fail.
Example
-------
`encapsulate /tmp|/home/foo bash`
This starts a shell with "just the same" filesystem view as normal, but with everything but /tmp and /home/foo (and their subdirectories) readonly.
The new view is mounted to a temporary directory, but that happens in a separate namespace, so this isn't visible to the host system except for an empty directory in /tmp.