linuxsandboxgentoocheckinstall

How can I sandbox filesystem activity, particularly writes?


Gentoo has a feature in portage, that prevents and logs writes outside of the build and packaging directories.

Checkinstall is able to monitor writes, and package up all the generated files after completion.

Autotools have the DESTDIR macro that enables you to usually direct most of the filesystem activity to an alternate location.

Update0

Update1


Solution

  • There are two methods to do this. One is to use LD_PRELOAD to hook library calls that result in syscalls, such as those in libc, and call dlsym/dlopen. This will not allow you to directly hook syscalls.

    The second method, which allows hooking syscalls, is to run your executable under ptrace, which provides options to stop and examine syscalls when they occur. This can be set up programmatically to sandbox calls to restricted areas of the filesystem, among other things.