Re: [gentoo-dev] mbox -- looks sort of interesting

[Jason A. Donenfeld]

On Tue, Feb 11, 2014 at 10:39 PM, Wulf C. Krueger  wrote:
> On 11.02.2014 01:36, Jason A. Donenfeld wrote:
>> It's a sandbox that uses a combination of ptrace and seccomp bpf;
>> neither ours nor exherbo's uses both of these together.
>
> Actually, sydbox, Exherbo's sandbox *does* use both together.

I didn't know sydbox made use of bpf. That's really cool. I'll have to
take another look.

Re: [gentoo-dev] mbox -- looks sort of interesting

[Wulf C. Krueger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello Jason,

On 11.02.2014 01:36, Jason A. Donenfeld wrote:
> It's a sandbox that uses a combination of ptrace and seccomp bpf; 
> neither ours nor exherbo's uses both of these together.

Actually, sydbox, Exherbo's sandbox *does* use both together.

- -- 
Best regards, Wulf
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlL6mKUACgkQnuVXRcSi+5olDwCfRDoP9f2zfM1GndKcG1rkNWZR
I9YAn2Rwdb40m0vnL0FIdyN3v/J3Ka7I
=ZbOm
-END PGP SIGNATURE-

Re: [gentoo-dev] mbox -- looks sort of interesting

[justin]

On 11/02/14 01:36, Jason A. Donenfeld wrote:
> Hey folks,
> 
> Late night clicking-while-drooling, I came across something a few
> minutes ago that mildly piqued my interest -- mbox
> . It's a sandbox that uses a
> combination of ptrace and seccomp bpf; neither ours nor exherbo's uses
> both of these together. The killer feature, for us, that's motivating
> me to write to this list, is that it creates a "shadow file system",
> and then has the option to commit the changes of that file system to
> the real file system, piece by piece, when the process is done. It
> made me think of some discussions we had at FOSDEM about Portage
> evolution and whatnot. I haven't looked at this tool past an initial
> glance, but it does look like interesting food for thought.
> 
> Jason
> 

At FOSDEM I have seen this interesting talk[1,2] on a similar subject.
PRoot[3] would be similar to mbox. But CARE[4] might be great to
reproduce build problems on user machines.

justin

1 https://fosdem.org/2014/schedule/event/syscall/
2
http://ftp.belnet.be/FOSDEM/2014/H2215_Ferrer/Saturday/Software_engineering_tools_based_on_syscall_instrumentation.webm
3 http://proot.me/
4 http://reproducible.io/



signature.asc
Description: OpenPGP digital signature

Re: [gentoo-dev] mbox -- looks sort of interesting

[Michael Haubenwallner]

On 02/11/14 01:36, Jason A. Donenfeld wrote:
> Hey folks,
> 
> Late night clicking-while-drooling, I came across something a few
> minutes ago that mildly piqued my interest -- mbox
> . It's a sandbox that uses a
> combination of ptrace and seccomp bpf; neither ours nor exherbo's uses
> both of these together. The killer feature, for us, that's motivating
> me to write to this list, is that it creates a "shadow file system",
> and then has the option to commit the changes of that file system to
> the real file system, piece by piece, when the process is done. It
> made me think of some discussions we had at FOSDEM about Portage
> evolution and whatnot. I haven't looked at this tool past an initial
> glance, but it does look like interesting food for thought.

Sounds interesting, especially the "without special privileges" bit...

/haubi/

[gentoo-dev] mbox -- looks sort of interesting

[Jason A. Donenfeld]

Hey folks,

Late night clicking-while-drooling, I came across something a few
minutes ago that mildly piqued my interest -- mbox
. It's a sandbox that uses a
combination of ptrace and seccomp bpf; neither ours nor exherbo's uses
both of these together. The killer feature, for us, that's motivating
me to write to this list, is that it creates a "shadow file system",
and then has the option to commit the changes of that file system to
the real file system, piece by piece, when the process is done. It
made me think of some discussions we had at FOSDEM about Portage
evolution and whatnot. I haven't looked at this tool past an initial
glance, but it does look like interesting food for thought.

Jason

-- 
Jason A. Donenfeld
Gentoo Linux Security & Infrastructure
zx...@gentoo.org
www.zx2c4.com