软件加固/安全沙箱>> homestead>> 返回
项目作者: tmewett

项目描述 :
Rootless sandbox for your home directory
高级语言: Shell
项目地址: git://github.com/tmewett/homestead.git
创建时间: 2021-06-27T12:37:20Z
项目社区:https://github.com/tmewett/homestead
开源协议:MIT License
下载


homestead

The most convenient sandbox for your home directory.

  1. Usage: homestead [OPTIONS] [-n NAME] [COMMAND...]
  3. Isolate changes to your home directory.
  5. Runs a command in a sandbox. Everything in the current working directory
  6. is writeable as normal, but other files in your home directory are read-only.
  8. With `-n NAME`, the home directory is writeable, but all changes are stored in
  9. an overlay called NAME. Outside of the homestead, the files are unmodified.
  10. The overlay is created if it doesn't exist.
  12. The homestead overlay is stored in /home/steads/tom.
  14. If COMMAND is not specified, an interactive shell is started.
  16. Options:
  17.   -n NAME       save all writes in the home directory into overlay NAME
  18.   --no-cwd      don't pass the current directory through the sandbox
  19.   -u            unmount & cleanup instead of entering (requires -n)
  20.   -s            isolate more things (PIDs, IPC, cgroup, /proc, /tmp)
  21.   -h, --help    show this help text

Example:

  1. ~/gizmo$ homestead -n gizmo-dev
  2. starting shell in homestead - type ctrl-d or 'exit' to leave
  3. (gizmo-dev) ~/gizmo$ ./install.sh       # I don't know what this command might do!
  4. ...
  5. (gizmo-dev) ~/gizmo$ ls ~/.gizmo-files  # Ah, it put stuff in my home
  6. bin/  data/  thing  stuff
  7. (gizmo-dev) ~/gizmo$ exit               # But if I leave the sandbox...
  8. ~/gizmo$ ls ~/.gizmo-files              # ...there is nothing left!
  9. ls: cannot access '~/.gizmo-files': No such file or directory
  10. ~/gizmo$ ls -a /home/steads/$USER/gizmo-dev  # The files are kept separate
  11. .gizmo-files/
  12. ~/gizmo$ homestead -n gizmo-dev         # I can re-enter any time

This means you can run unknown code as your user account, without worrying about
it installing, re-configuring, or deleting any files outside of the current
directory. It also means you can cleanly remove any changes, without having to
hunt down what has been added or changed.

Feedback welcome!

Installation

Manually

  1. Install Fish, bwrap, and fuse-overlayfs.
  2. Download homestead to somewhere in your $PATH.

  3. Create the world-writeable homestead directory as root:

    1. mkdir /home/steads
    2. chmod 777 /home/steads

Note that homestead can be used as root without fuse-overlayfs.

Security

Homestead is designed to protect against changes to your home directory from
direct file access. Besides that, the sandbox has a low level of isolation, so
it is possible in theory for processes inside to affect the world outside e.g.
via inter-process communication such as D-Bus. The -s option provides more
process isolation, should you require it.

Bubblewrap, the sandbox tool used by homestead, is highly secure, but the
configuration used is likely insufficient for running truly untrusted code
safely.