Google Summer of Code/2020/Ideas/FUSE-powered sandbox

From Gentoo Wiki
Jump to:navigation Jump to:search

FUSE-powered sandbox

Gentoo sandbox is a cheap hack that aims to detect when ebuilds are accessing locations they aren't supposed to reach. It is implemented as LD_PRELOAD library which generally makes it a bit of a hack. It is imperfect, sometimes requires hacks to stop breaking other software and sometimes need to be plain disabled.

I've proposed in the past to reimplement it as a overlay-alike filesystem using FUSE but never found time to work on it. The idea is rather simple — create a basic FUSE filesystem that wraps access to the root filesystem, add access control on top of it, add IPC to make it possible to edit access lists dynamically. Integrate everything into Portage, so it can be used in place of old sandbox.

Contacts Required Skills
  • Python + bash (for Portage integration)
  • any language suitable for early install for actual sandbox implementation (C or Python preferable)
  • basic knowledge of FUSE