Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

isolate processes on linux

branch: master

Fetching latest commit…

Octocat-spinner-32-eaf2f5

Cannot retrieve the latest commit at this time

Octocat-spinner-32 Makefile
Octocat-spinner-32 README.markdown
Octocat-spinner-32 encapsulate.c
README.markdown

Encapsulate

Linux utility to isolate a process and its children while providing a full environment easily. Makes use of Linux's namespace capabilities and is thus totally unportable. It also might require more Linux kernel options than you have enabled.

Usage

encapsulate writable-subtree|tree2|tree3|... command args...

Isolation

encapsulate:

  • detaches itself (and its children) from the system's mount point table, IPC table, process ID table and network stack instance,
  • mounts the current filesystem view to a temporary directory,
  • marks it read-only,
  • mounts the writable-subtrees (delimited by |) at its "native" location into the new directory hierarchy,
  • chroots to the newly mounted root directory,
  • chdirs to the current directory (but inside the chroot),
  • setuids back to the current user,
  • and finally calls command with args

A separate process waits for all this to finish and deletes the temporary directory afterwards.

The result is that command runs in a system similar to the real one with a couple of exceptions. First, only files below writable-subtree are writable, everything else (including /tmp, unless that's the directory you choose) is read-only. Second, command can't inspect many aspects of the system (such as currently running processes) or interact with processes easily. Third, network is blocked, so if command attempts to run a spam-bot, it will fail.

Example

encapsulate /tmp|/home/foo bash

This starts a shell with "just the same" filesystem view as normal, but with everything but /tmp and /home/foo (and their subdirectories) readonly. The new view is mounted to a temporary directory, but that happens in a separate namespace, so this isn't visible to the host system except for an empty directory in /tmp.

Something went wrong with that request. Please try again.