Internships/ProjectIdeas/VirtiofsdSandboxingTool

From QEMU
Revision as of 16:47, 21 February 2023 by Stefanha (talk | contribs) (→‎A sandboxing tool for virtiofsd)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

A sandboxing tool for virtiofsd

Summary: Create a tool that runs virtiofsd in a sandboxed environment

Virtiofs is a shared file system that lets virtual machines access a directory tree on the host. Unlike existing approaches, it is designed to offer local file system semantics and performance.

Currently, virtiofsd integrates the sandboxing code and the server code in a single binary. The goal is to extract that code and create an external tool that creates a sandbox environment and runs virtiofsd in it. In addition, that tool should be extended to be able to run virtiofsd in a restricted environment with Landlock.

This will allow greater flexibility when integrating virtiofsd into a VMM or running it inside a container.

Goals:

  • Understand how to setup a restricted environment using chroot, namespaces, and Landlock
  • Refactor virtiofsd to extract the sandbox code to its own crate
  • Create an external sandboxing tool for virtiofsd

Links:

Details:

  • Project size: 175 hours
  • Skill level: intermediate (knowledge of Rust and C)
  • Language: Rust
  • Mentor: German Maglione <gmaglione@redhat.com>, Stefano Garzarella <sgarzare@redhat.com>
  • Suggested by: German Maglione <gmaglione@redhat.com>
Retrieved from "https://wiki.qemu.org/index.php?title=Internships/ProjectIdeas/VirtiofsdSandboxingTool&oldid=11177"