I am the author of mbox. Since I got too many emails regarding mbox, here are a few things to clarify.<p><pre><code> - naming: pkgfile mbox || echo looks like a good name
- support: sorry, I don't have Mac or Windows.
</code></pre>
I particularly like to use mbox for redirecting modification to another directory. For example,<p><pre><code> $ mbox -- git checkout file
</code></pre>
You can checkout a file without overwritting the current file. You can imagine tons of usecases in this vein. Of course, blocking networks, restricting accesses of other directories, and rootless pkg installations are cute. However, to be a mature tool, I have to admit that there are lots of engineering works left -- support of 32bit .. compatibility layers .. still lots of corner cases.
>At the end of program execution, the user can examine changes in the sandbox filesystem, and selectively commit them back to the host filesystem.<p>This is a cool idea.
Hmm. Seems <i>very</i> secure.. I can't run anything.<p><pre><code> ./configure
make
./mbox ls
Stop executing pid=20987: It's not allowed to call mmap on 0x400000
</code></pre>
Same error no matter what executable I try. I'm assuming that isn't by design?
interesting, i agree with the bad choice of nomenclature though.<p>I wonder how hard it would be to port it to dtrace (also dtrace would defeat the not needing root requirement).<p>although macs already include a sandbox[1] i find it everything but intuitive to use. it's already ridiculously complicated to setup. see ironfox as reference [2]. since you have to allow all sorts of mach port process execution pasteboard mach port access, etc.<p>check this app, which is allowed to play music and access the clipboard, but not access the internet. [3]<p>[1] <a href="https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/sandbox-exec.1.html" rel="nofollow">https://developer.apple.com/library/mac/documentation/Darwin...</a><p>[2] <a href="https://www.romab.com/ironfox/IronFox-1.5-beta.dmg" rel="nofollow">https://www.romab.com/ironfox/IronFox-1.5-beta.dmg</a><p>[3] <a href="https://gist.github.com/03a481b6d39912b33d52" rel="nofollow">https://gist.github.com/03a481b6d39912b33d52</a>
It would be interesting to run a benchmark. My impression is that ptrace interceptions would add a significant overhead but I can be wrong. Still, it looks like a great project.<p>Alternatively they could use unshare and aufs to overlay another filesystem on top of a read-only root.
Kudos to the authors for releasing their source code on github. The code may have some rough edges at the moment, but putting it on Github is a great way to encourage collaboration / improvements, and can only encourage greater adoption of their ideas.
Slides end with a few questions:<p>> Why 20% on tar? just rewriting path arguments doesn't
seem to be demanding work.<p>Is most of that the overhead from syscalls being filtered by seccomp/BPF?
Definitely looking forward to seeing this progress. It certainly seems to fill a void especially in a world where it is quite common to share command line tools as seen earlier today in the post about "hr for your terminal"<p><a href="https://news.ycombinator.com/item?id=7213347" rel="nofollow">https://news.ycombinator.com/item?id=7213347</a>
The mechanism seems similar to PRoot ( <a href="http://proot.me/" rel="nofollow">http://proot.me/</a> ) which uses ptrace to intercept filesystem operations to create a userspace chroot.<p>I wonder if there's value in creating a library for intercepting filesystem operations via ptrace...