I work on some projects that involve heavy sandboxing using namespaces. One handy thing to be able to do with sandboxes is to poke around inside them. Shells are traditional poking-around tools.
The major difficulty here is that there's generally no shell inside these sandboxes. That means I need to be able to enter the sandbox, start a shell, and use the shell, all without ever calling exec *, because there's nothing to exec. For simpler use cases, toysh sort of works, because toysh mostly knows how to function without exec :) toybox nsenter -t PID -U -m [etc] sh For fancier use cases (e.g. seccomp), this might be tricky, but it could still work. Or I could try to build toybox as a library, or I could wait until execveat(2) shows up for real. The main reason that toybox is exciting here is for its shell. * If execveat(2) ever happens, then I can exec once to start the shell. --Andy _______________________________________________ Toybox mailing list [email protected] http://lists.landley.net/listinfo.cgi/toybox-landley.net
