On 03/02/2015 09:07 AM, Michael Terry wrote: > Sorry, I've been distracted by unity8 work and holiday, but I'm coming back to > this thread. > > So my original goal was to easily (and in shortish time frame) use archive > debs > in a very fat (non-phone) snap. Seems there are several possible ways to do > that (this list is collated from this thread, looking largely at features > instead of maintenance or security complexity): > Thanks for this!
> Overlayfs (currently blessed approach): > - Won't work on android kernels without significant backport work on our end > - Won't (currently) work with apparmor without significant effort (LP: #1408106) (this may not be as dire as that-- we are investigating new changes being made upstream now and should know more this week. However, is isn't all rosy either-- we know upstream has plans to work better with LSMs, but it isn't implemented yet) > LD_PRELOAD: > - Is hairy to get right for all cases (many obscure low-level entry points > that > take a filename, pitti warns there are gaps) > - App might make a direct ioctl calls that can't be intercepted I'm somewhat confused by this: doesn't the ioctl(2) call take an open fd and therefore we wouldn't need to do anything special for it? > - Can't work for programs that statically-link glibc (which isn't so bad > because > those aren't likely to want to pull in other debs) > - Won't work for set[ug]id programs (which isn't a problem for snappy use > cases > right now, I believe) Correct. Apps can't ship setuid/setgid programs > Aufs: > - (out of my historical depth) Old competitor of overlayfs that we could > resurrect in cases that overlayfs can't work, so there would be some > maintenance > work on our end to make this deprecated technology work again - needs some apparmor changes to work correctly -- Jamie Strandboge http://www.ubuntu.com/
signature.asc
Description: OpenPGP digital signature
-- snappy-devel mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snappy-devel
