Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Sandboxing under GoboLinux
Clone this wiki locally
The build system in GoboLinux uses sandboxing to ensure that all the filesystem writes during the software install phase are limited to an appropriate part of the filesystem. GoboLinux 016 ships with two different sandbox implementations.
UnionSandbox is a modern implementation which uses file system unions to achieve isolation. It is the default sandbox installer.
FiboSandbox is a fallback method used when a union-filesystem implementation is not available in the running kernel. It sets up an isolated environment and commands are run by a special user (named fibo) without root privileges.
During the installation phase of the software build process,
most build systems call the
program to copy files to their destination
directories with the proper ownership and attributes.
install belongs to the CoreUtils package.
Since user fibo lacks authority to change file ownership,
the link at
to a wrapper script in the Scripts package.
Under UnionSandbox, this wrapper script translates the
superuser name if necessary and calls
real_install, a symlink to the CoreUtils
install utility, passing along the modified
Under FiboSandbox, the wrapper discards change-of-owner directives