Hello,
I have been trying to use the auroot.sh script to sandbox an application, but
it doesn't seem to work. I have tried to make it manually, but it seems
impossible, because aufs keeps compaining about overlappings.
The problem is that, in this case, mounting "/" and /tmp/rw in /tmp/jail would
cause an infinite loop in /tmp/jail/tmp/jail/tmp..., so aufs refuses to do it.
This seems reasonable, but I think there are other ways to solve it. For
example, I think the best option would be an "-o overlap=exclude" or similar
option, which would simply exclude the problematic directories from the
resulting filesystem. In that case:
# mount -t aufs -o br:/tmp/rw:/ aufs /tmp/jail
mount: wrong fs type, bad option, bad superblock on aufs,
missing codepage or helper program, or other error
(for several filesystems (e.g. nfs, cifs) you might
need a /sbin/mount.<type> helper program)
In some cases useful info is found in syslog - try
dmesg | tail or so
# dmesg | tail
[42693.099394] aufs test_add:393:mount[1859]: / is overlapped
# mount -t aufs -o overlap=exclude,br:/tmp/rw:/ aufs /tmp/jail
# ls /tmp/jail
bin cdrom etc lib media opt srv tmp var vmlinuz.old boot dev
home initrd.img lost+found mnt proc sbin sys usr vmlinuz
# ls /tmp/jail/tmp/jail
(empty)
# ...
As you can see, instead of an infinite loop we have an empty directory. That
would be easy to code and very useful (at least to me). Until then I will have
to find some workaround.
------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
