Not signed in (Sign In)

Choose a language

Vanilla 1.1.4 is a product of Lussumo. More Information: Documentation, Community Support.

Support and General Discussion: Sandbox (during compile) -> what's about runtime?

Bottom of Page

1 to 7 of 7

  1.  
    • CommentAuthorKickstart
    • CommentTimeMar 31st 2008 edited
     # 1
    Hello all,

    reading about the sandbox function when installing software I have 2 question

    1) Is there a mature way to block application spreading their files out of its applicationdirectory during RUNTIME? I fear it is not possible because of inheriting the filesystem rights from the user having started the application?
    2) Would it be possible to redirect write attempts to hardcoded paths during installation to subdirectories of the Applications directory? Say symlinking the opt/lib/etc stuff during installation to subdirs of the applicationdirectory? Would it be (in a technological point of view) possible to fade in these subdirectories as opt/lib/etc during runtime seperately for each application?

    Greetings

    Frank
    • CommentAuthorMichael
    • CommentTimeMar 31st 2008
     # 2
    All of that is theoretically and technologically possible. There is nothing existing that does it, though.
    • CommentAuthorgiddie
    • CommentTimeMar 31st 2008
     # 3
    I'm working on this idea in my spare time. The idea is to make application bundles, similar to those used in MacOS X, that can be "mounted" into a FUSE filesystem. It should be possible to customise the filesystem for each running process, effectively sandboxing them. It would also be possible to determine and mount dependencies at runtime. My plans also include allowing bundles to be mounted from anywhere. I have other projects on the go though, so it's slow going.
    • CommentAuthorm@cCo
    • CommentTimeMar 31st 2008
     # 4
    Posted By: giddieI'm working on this idea in my spare time. The idea is to make application bundles, similar to those used in MacOS X, that can be "mounted" into a FUSE filesystem. It should be possible to customise the filesystem for each running process, effectively sandboxing them. It would also be possible to determine and mount dependencies at runtime. My plans also include allowing bundles to be mounted from anywhere. I have other projects on the go though, so it's slow going.
    Mmm, being a total ignorant at this, it seems to sound very much like our /System/Index, project...
    • CommentAuthorgiddie
    • CommentTimeMar 31st 2008
     # 5
    Yes, it's a similar idea indeed, but there a number of fundamental differences as well. What I'm working on would require a big shift for GoboLinux that I don't think it's ready for, so I thought I'd work on my own system, and if / when it works, maybe GoboLinux would follow suit. We'll see how things pan out. Maybe my ideas will crash & burn horribly :)
    • CommentAuthorshevegen
    • CommentTimeApr 3rd 2008
     # 6
    Maybe my ideas will crash & burn horribly :)


    hehe
    i once talked to a guy who was planning a completely automatic BLFS project
    using and transforming any existing XML (or xslt or whatever, it sounded a bit complicated)

    i havent talked to him again since years, he kinda seem to have disappeared and i never
    again heard of that project - hope your idea doesnt get too ambitious that it falls over itself :)

    I also wonder why there arent more in the *nix world that pursue something similar to
    application bundles by the way
    • CommentAuthorgiddie
    • CommentTimeApr 3rd 2008
     # 7
    Yeah, I was pretty overwhelmed by the volume of the ideas at first, but I'm pretty confident I can go in little steps and see how things go. My first goal is to build a fuse filesystem that will display files that are listed in an sqlite database, and a matching executable that will add the files in bundle directories recursively to the database. After that I can start to think about a daemon that will notice when the source bundles are moved around and update the database.

    I already have some code that will do the recursive adding to the database, written in C, and a basic fuse that isn't hooked up to the database yet. It works in Linux & Darwin.

1 to 7 of 7

  1.