The license was already stated in the source file, but some tools prefer it this way.
|4 years ago|
|LICENSE||4 years ago|
|Makefile||9 years ago|
|README.markdown||9 years ago|
|encapsulate.c||5 years ago|
Linux utility to isolate a process and its children while providing a full environment easily. Makes use of Linux’s namespace capabilities and is thus totally unportable. It also might require more Linux kernel options than you have enabled.
encapsulate writable-subtree|tree2|tree3|... command args...
writable-subtrees (delimited by
|) at its “native” location into the new directory hierarchy,
A separate process waits for all this to finish and deletes the temporary directory afterwards.
The result is that
command runs in a system similar to the real one with a couple of exceptions. First, only files below
writable-subtree are writable, everything else (including /tmp, unless that’s the directory you choose) is read-only.
command can’t inspect many aspects of the system (such as currently running processes) or interact with processes
easily. Third, network is blocked, so if
command attempts to run a spam-bot, it will fail.
encapsulate /tmp|/home/foo bash
This starts a shell with “just the same” filesystem view as normal, but with everything but /tmp and /home/foo (and their subdirectories) readonly. The new view is mounted to a temporary directory, but that happens in a separate namespace, so this isn’t visible to the host system except for an empty directory in /tmp.