Hello, Restarting services under sydbox is problematic. With the joining of seccomp filters to the party, the issue gets even difficult. Once applied, a seccomp filter can't be disabled thus it is not possible for a sandboxed process to continue execution after sydbox exits.
This provides a good reason to implement an API to execute processes without sandbox if required. I've added support for a simple one to sydbox-1 today. Basically sydbox-1 learned a magic command, namely cmd/exec. Upon receiving this command sydbox-1 forks and changes directory to match the process, reads the environment from /proc/$pid/environ and calls execvpe(). The magic command is executed like: $> sydbox -- sh -c "stat $(sydfmt exec echo hello world)" hello world File: ‘/dev/sydbox/cmd/exec!echo\037hello\037world’ Size: 0 Blocks: 0 IO Block: 512 character special file Device: 0h/0d Inode: 0 Links: 0 Device type: 1,3 Access: (0666/crw-rw-rw-) Uid: ( 0/ root) Gid: ( 0/ root) $> What `sydfmt' does is joining the program name and arguments, all separated by US (unit separator character). A patch follows adding support to Paludis. After this change, it is easy to execute services from within exhereseses. Whether it should be done or not is another topic of discussion. For example to execute udevd from within an exheres, one can call: $> esandbox exec /sbin/udevd --daemon That's it. No whitelisting, no resuming whatsoever. Comments? Ali Polatel (1): sydbox: add esandbox exec for sydbox-1 paludis/repositories/e/ebuild/sydbox.bash | 4 ++++ 1 file changed, 4 insertions(+) -- 1.7.12.1 _______________________________________________ Exherbo-dev mailing list [email protected] http://lists.exherbo.org/mailman/listinfo/exherbo-dev
