PoC shell sandboxing using QEMU and virtiofsd. Simply enter qsandbox run
to open your current working dir in a temporary QEMU vm.
Clone the repo and link qsandbox
somewhere in your path. The script currently expects the image
and ssh
folder next to its location on disk.
You'll need a few things for the script to work:
- A ssh key pair in
ssh/qemu_ssh
&ssh/qemu_ssh.pub
. You can link your default key pair or use the chance to generate one without a passphrase. image/image.qcow2
,image/vmlinuz-linux
,image/initramfs-linux-custom.img
. Thebuild.sh
script can build these based on arch
These requirements are currently hard coded but should be configurable in the future.
Usage:
qsandbox run [dir] - start sandbox and mount current working dir
qsandbox list - list running sandboxes
qsandbox enter - open ssh connection to a sandbox
qsandbox qemu - start the qemu process for a new sandbox, used by run
Starts a new vm using systemd-run
and qsandbox qemu
, mounts the current working dir or the specified directory and opens an ssh session.
Lists all running sandboxes and their ssh ports.
A wrapper around ssh
. Takes port as only argument but defaults to 5555
.
Starts the actual sandbox.
By default, QEMU exposes two ports for each sandbox. An ssh port (starting at 5555
) and an "app port" that can be used by some app in the vm (starting at 8000
). Ports should be configurable in the future.
Mount the default share automatically:
echo -e "share.1\t/mnt\tvirtiofs\trw,_netdev\t0\t0" >> /etc/fstab
Disable auth on the QEMU serial console:
mkdir -p /etc/systemd/system/serial-getty@ttyS0.service.d
echo -e "[Service]\nExecStart=\nExecStart=-/usr/bin/agetty --autologin root -s %I 115200,38400,9600 vt102" > /etc/systemd/system/serial-getty@ttyS0.service.d/autologin.conf
MIT