diff options
author | Mike Frysinger <vapier@gentoo.org> | 2008-11-09 08:16:55 +0000 |
---|---|---|
committer | Mike Frysinger <vapier@gentoo.org> | 2008-11-09 08:16:55 +0000 |
commit | d6af50c784a8629166d6b0da4038d714983768d0 (patch) | |
tree | a0936d63b2038e2c365ff100624cb36d3bc1f950 /README | |
parent | libsandbox: make sure wrapper.c depends on symbols.h (diff) | |
download | sandbox-d6af50c784a8629166d6b0da4038d714983768d0.tar.gz sandbox-d6af50c784a8629166d6b0da4038d714983768d0.tar.bz2 sandbox-d6af50c784a8629166d6b0da4038d714983768d0.zip |
README: add some info on this project
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Diffstat (limited to 'README')
-rw-r--r-- | README | 28 |
1 files changed, 28 insertions, 0 deletions
@@ -0,0 +1,28 @@ +--------- + about +--------- + +Sandbox is a library (and helper utility) to run programs in a "sandboxed" +environment. This is used as a QA measure to try and prevent applications from +modifying files they should not. + +For example, in the Gentoo world we use it so we can build applications as root +and make sure that the build system does not do crazy things outside of its +build directory. Such as install files to the live root file system or modify +config files on the fly. + +For people who are familiar with the Debian "fakeroot" project, sandbox is very +similar to that. + +---------- + method +---------- + +The way sandbox works is that you prime a few environment variables (in order +to control the sandbox's behavior) and then stick it into the LD_PRELOAD +variable. Then when the ELF loader runs, it will first load the sandbox +library. Whenever an applications makes a library call that we have wrapped, +we'll check the arguments against the environment settings. Based on that, any +access that is not permitted is logged and we return an error to the +application. Any access that is permitted is of course forwarded along to the +real C library. |