GitHub - aaronjanse/bwrap-shell: [WIP] Shell that runs every command in a chroot, without access to the parent directory

Inspiration: Dot Dot Considered Harmful - Fuchsia.

This is an ion shell fork that runs every command in a sandbox containing only the current working directory (along with stuff like /dev, but we'll ignore that for now), along with file paths passed as arguments. So, programs can only operate upon the current working directory.

Note that git, htop, etc all work as expected, for the most part, which is pretty cool.

Note that this does not create secure sandboxes, due to bubblewrap CVE-2017-5226. I also carelessly mount stuff like /lib and /proc.

Dependencies:

bubblewrap must be installed as setuid and in the $PATH

Attribute the shell features that work well to the Redox OS contributors. Broken features are likely due to my modifications, which is okay because this repo is just a proof-of-concept.

Name		Name	Last commit message	Last commit date
Latest commit History 2,136 Commits
.gitlab		.gitlab
benches		benches
ci		ci
debian		debian
examples		examples
fuzz		fuzz
manual		manual
members		members
sh-interrupt		sh-interrupt
src		src
testing		testing
tests		tests
.envrc		.envrc
.gitignore		.gitignore
.gitlab-ci.yml		.gitlab-ci.yml
CONTRIBUTING.md		CONTRIBUTING.md
Cargo.lock		Cargo.lock
Cargo.toml		Cargo.toml
LICENSE		LICENSE
Makefile		Makefile
README.md		README.md
build.rs		build.rs
redox_linker		redox_linker
rustfmt.toml		rustfmt.toml
shell.nix		shell.nix

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

About

Uh oh!

Releases

Packages

Languages

License

aaronjanse/bwrap-shell

Folders and files

Latest commit

History

Repository files navigation

About

Resources

License

Contributing

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages