[Toybox] A usecase for execless toysh
Andy Lutomirski
luto at amacapital.net
Sun Oct 19 13:02:22 PDT 2014
I work on some projects that involve heavy sandboxing using
namespaces. One handy thing to be able to do with sandboxes is to
poke around inside them. Shells are traditional poking-around tools.
The major difficulty here is that there's generally no shell inside
these sandboxes. That means I need to be able to enter the sandbox,
start a shell, and use the shell, all without ever calling exec *,
because there's nothing to exec.
For simpler use cases, toysh sort of works, because toysh mostly knows
how to function without exec :)
toybox nsenter -t PID -U -m [etc] sh
For fancier use cases (e.g. seccomp), this might be tricky, but it
could still work. Or I could try to build toybox as a library, or I
could wait until execveat(2) shows up for real. The main reason that
toybox is exciting here is for its shell.
* If execveat(2) ever happens, then I can exec once to start the shell.
--Andy
More information about the Toybox
mailing list