[Toybox] A usecase for execless toysh

Andy Lutomirski luto at amacapital.net
Sun Oct 19 13:02:22 PDT 2014


I work on some projects that involve heavy sandboxing using
namespaces.  One handy thing to be able to do with sandboxes is to
poke around inside them.  Shells are traditional poking-around tools.

The major difficulty here is that there's generally no shell inside
these sandboxes.  That means I need to be able to enter the sandbox,
start a shell, and use the shell, all without ever calling exec *,
because there's nothing to exec.

For simpler use cases, toysh sort of works, because toysh mostly knows
how to function without exec :)

toybox nsenter -t PID -U -m [etc] sh

For fancier use cases (e.g. seccomp), this might be tricky, but it
could still work.  Or I could try to build toybox as a library, or I
could wait until execveat(2) shows up for real.  The main reason that
toybox is exciting here is for its shell.

* If execveat(2) ever happens, then I can exec once to start the shell.

--Andy


More information about the Toybox mailing list