setting up a chroot jail

Duncan Coutts duncan.coutts at
Thu Jun 14 13:15:24 EDT 2007

On Wed, 2007-06-13 at 21:55 +0200, Marc Weber wrote:
> >  [..] 
> >   4) use dpkg to install necessary debian packages
> > 
> 5) Use the gentoo portage sandbox ( thus generate a gentoo package for
>    each documention package (will work on gentoo only )

The gentoo sandbox program does not mean one has to generate gentoo
packages. It's a fairly self contained program.

Note that the sandbox is not a chroot jail. It's kind of a supervisor
for child processes that enforces a policy (given in a config file) for
access to the file system. The gentoo package builder tool uses that to
allow a build process to have read only access to the entire file system
and write access to just the build directory (and sub-directories). As I
understand it, it works using the linux kernel's ptrace mechanism to
intercept and check syscalls against the security policy.

I'm sure sandbox works on any linux system, not just gentoo, so it might
be a good solution for HaskageDB. I expect it'd use more or less the
same kind of security policy that the gentoo package build tools use, ie
read only to the whole system and read/write for the specific build
directory (and directory where the installed image/docs is put).


More information about the cabal-devel mailing list