morgan
/
blog
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
blog/content/posts/1970-01-01-Sandboxing.md

44 lines
1.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: Notes - 6. Sandboxing
date: 1970-01-01T00:00:00.000Z
slug: notes-sandboxing
---
### 6. Container & Sandboxing
Flatpak → OSTree Commits , combining..
GNOME
app / org.gnome.Sdk ← org.gnome.Platform/master ← org.freedesktop.Platform/23.08 ,, Minimal linux environment.
### bwrap, sandbox environment.
No userspace process isolation so I can see /proc in host, with /proc/{pid}/root which listing it actaully shows me root inside sandbox. via mountinfo I can see it is bindmount from /newroot → /root.
/newroot is on tmpfs, meaning that there arent any actual files mapped in host, so I cant find it.
/newroot is setted up by bwrap, no “base” image.
All flatpak commits, including Platform, is bind mounted to containers folders. e.g. org.gnome.Platforms files/ will be ro-mounted on /usr@container, and flatpak invokes bwrap with
symlink /bin /usr/bin, symlink /lib /usr/lib, mkdir /dev, mkdir /tmp, mkdir /sys, mkdir /app … without need of mounting image on root, but it sets up like minimal linux on embedded firmware (e.g. busybox linux)
App will be ro-binded in /app, platform will be ro-binded on /usr, user-data will be saved at XDGs, $HOME.
- **BootC?**
What is bootc?
It is exactly same as ostree-native-containers, its original of that.
### fakeroot
LD_PRELOAD, geteuid() → return 0. It fools program that uid is 0, but anyways user cant access to real roots permissions. Just fooling programs that “only allows running as root internally”.
### containered environment,
rootless → current user becomes root, any additional users inside container gets virtual uid, in host its just ghost id. real root becomes `nobody` and of course its not accessible by user.
In here we need “rooless” unpacking. Container Image fill have files with root ownership in their tar archive. So we need fakeroot to unpack image to filesystem, so that “root” files in tar to be extracted.
### libc and compat layer..?
Reference in New Issue View Git Blame Copy Permalink