Internships/ProjectIdeas/VirtiofsdSandboxingTool: Difference between revisions
(Created page with "=== A sandboxing tool for virtiofsd === ''Summary:''' Create a tool that runs virtiofsd in a sandboxed environment Virtiofs is a shared file system that lets virtual machines access a directory tree on the host. Unlike existing approaches, it is designed to offer local file system semantics and performance. Currently, virtiofsd integrates the sandboxing code and the server code in a single binary. The goal is to extract that code and create an external tool that...") |
|||
| Line 10: | Line 10: | ||
single binary. The goal is to extract that code and create an external tool that | single binary. The goal is to extract that code and create an external tool that | ||
creates a sandbox environment and runs virtiofsd in it. In addition, that tool | creates a sandbox environment and runs virtiofsd in it. In addition, that tool | ||
should be extended to be able to run virtiofsd in a restricted environment with | should be extended to be able to run virtiofsd in a restricted environment with landlock. | ||
This will allow greater flexibility when integrating virtiofsd into a VMM or | This will allow greater flexibility when integrating virtiofsd into a VMM or | ||
Revision as of 16:55, 17 February 2023
A sandboxing tool for virtiofsd
Summary:' Create a tool that runs virtiofsd in a sandboxed environment
Virtiofs is a shared file system that lets virtual machines access a directory tree on the host. Unlike existing approaches, it is designed to offer local file system semantics and performance.
Currently, virtiofsd integrates the sandboxing code and the server code in a single binary. The goal is to extract that code and create an external tool that creates a sandbox environment and runs virtiofsd in it. In addition, that tool should be extended to be able to run virtiofsd in a restricted environment with landlock.
This will allow greater flexibility when integrating virtiofsd into a VMM or running it inside a container.
Goals:
- Understand how to setup a restricted environment using chroot, namespaces, and
Landlock
- Refactor virtiofsd to extract the sandbox code to its own crate
- Create an external sandboxing tool for virtiofsd
Links:
Details:
- Project size: 175 hours
- Skill level: intermediate (knowledge of Rust and C)
- Language: Rust
- Mentor: German Maglione <gmaglione@redhat.com>, Stefano Garzarella <sgarzare@redhat.com>
- Suggested by: German Maglione <gmaglione@redhat.com>