Internships/ProjectIdeas/VirtiofsdSandboxingTool: Difference between revisions
(Created page with "=== A sandboxing tool for virtiofsd === ''Summary:''' Create a tool that runs virtiofsd in a sandboxed environment Virtiofs is a shared file system that lets virtual machines access a directory tree on the host. Unlike existing approaches, it is designed to offer local file system semantics and performance. Currently, virtiofsd integrates the sandboxing code and the server code in a single binary. The goal is to extract that code and create an external tool that...") |
|||
(2 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
=== A sandboxing tool for virtiofsd === | === A sandboxing tool for virtiofsd === | ||
''Summary:''' Create a tool that runs virtiofsd in a sandboxed environment | '''Summary:''' Create a tool that runs virtiofsd in a sandboxed environment | ||
Virtiofs is a shared file system that lets virtual machines access a directory | Virtiofs is a shared file system that lets virtual machines access a directory | ||
Line 10: | Line 10: | ||
single binary. The goal is to extract that code and create an external tool that | single binary. The goal is to extract that code and create an external tool that | ||
creates a sandbox environment and runs virtiofsd in it. In addition, that tool | creates a sandbox environment and runs virtiofsd in it. In addition, that tool | ||
should be extended to be able to run virtiofsd in a restricted environment with | should be extended to be able to run virtiofsd in a restricted environment with Landlock. | ||
Landlock. | |||
This will allow greater flexibility when integrating virtiofsd into a VMM or | This will allow greater flexibility when integrating virtiofsd into a VMM or | ||
Line 17: | Line 16: | ||
Goals: | Goals: | ||
* Understand how to setup a restricted environment using chroot, namespaces, and | * Understand how to setup a restricted environment using chroot, namespaces, and Landlock | ||
* Refactor virtiofsd to extract the sandbox code to its own crate | * Refactor virtiofsd to extract the sandbox code to its own crate | ||
* Create an external sandboxing tool for virtiofsd | * Create an external sandboxing tool for virtiofsd |
Latest revision as of 16:47, 21 February 2023
A sandboxing tool for virtiofsd
Summary: Create a tool that runs virtiofsd in a sandboxed environment
Virtiofs is a shared file system that lets virtual machines access a directory tree on the host. Unlike existing approaches, it is designed to offer local file system semantics and performance.
Currently, virtiofsd integrates the sandboxing code and the server code in a single binary. The goal is to extract that code and create an external tool that creates a sandbox environment and runs virtiofsd in it. In addition, that tool should be extended to be able to run virtiofsd in a restricted environment with Landlock.
This will allow greater flexibility when integrating virtiofsd into a VMM or running it inside a container.
Goals:
- Understand how to setup a restricted environment using chroot, namespaces, and Landlock
- Refactor virtiofsd to extract the sandbox code to its own crate
- Create an external sandboxing tool for virtiofsd
Links:
Details:
- Project size: 175 hours
- Skill level: intermediate (knowledge of Rust and C)
- Language: Rust
- Mentor: German Maglione <gmaglione@redhat.com>, Stefano Garzarella <sgarzare@redhat.com>
- Suggested by: German Maglione <gmaglione@redhat.com>