Install and run AUR packages in sandbox

gpc · 2017-02-23 16:53:35

I'm looking for a system to install and run AUR packages in a sandbox, to allow quick installation of and trying out of the package without worrying about possible malware.

My current idea is, using scripts: install the AUR package's official package dependencies normally as needed; as a sandbox user: make and install AUR package in sandbox account's root directory, maintain directory structure with symlinks in sandbox user's root directory to /usr /bin /opt etc. using mount --bind to maintain access to /, fakechroot into sandbox's root directory to allow AUR application to access it's installed files where it expects them, run the application. (And the other thing to decide is whether to log into sandbox account in separate tty, use Xephyr, or allow access to main account's display (last sounds easiest but insecure, I wonder if there is much risk?).)

How is my idea? Has it been done in whole or part somehow already? Would it function as a sandbox? How would you do it differently?

Obviously the mode of user's files should keep out the sandbox account.

Awebb · 2017-02-23 18:20:09

I have been where you are.

1. Google: "linux container"
2. Think: "That's not exactly what I had in mind.
3. Think: "Hmm."
4. Implement your own idea.
5. Recognize just how deep the rabbit hole goes.
6. Google: "linux container"
7. Think: "One of them will do fine."

EDIT: To answer your question: Your idea sucks, because containers suck, but your idea is great, because containers suck the least among all those solutions.

Last edited by Awebb (2017-02-23 18:21:38)

JohnBobSmith · 2017-02-23 19:09:24

Maybe this short list of sandbox software will help?? https://wiki.archlinux.org/index.php/Li … #Sandboxes. I've heard good things about firejail, never used any form of sandbox software myself though.

rdeckard · 2017-02-23 20:02:37

I create ephemeral systemd-nspawn containers where I build AUR packages. I bind the pacman cache and the cache for a local repo I use for my AUR packages. So I can build and test in the container and then install using pacman after leaving the container. Not really for sandboxing as much as building and testing.

Here's what it looks like:

sudo systemd-nspawn --as-pid2 --quiet --register=no --user=$USER --ephemeral --directory=/ --bind=/var/cache/pacman/aur --bind=/var/cache/pacman/pkg

It only works with btrfs, creating a snapshot of the current root subvolume and deleting it when done.

Last edited by rdeckard (2017-02-23 20:04:07)

eschwartz · 2017-02-23 22:51:22

Oddly, I do much the same except using makechrootpkg and arch-nspawn from [extra]/devtools, which is so much easier because it already exists.
And has the advantage of building it in isolation from the usual garbage which accumulates on the average system, makes use of btrfs if possible but falls back on plain old "copying files around"...

graysky · 2017-02-23 23:05:48

+1 for containers... I spent quite a bit of time on the lxc and related wiki pages. Have a look.

Last edited by graysky (2017-02-23 23:34:21)

Arch Linux

#1 2017-02-23 16:53:35

Install and run AUR packages in sandbox

#2 2017-02-23 18:20:09

Re: Install and run AUR packages in sandbox

#3 2017-02-23 19:09:24

Re: Install and run AUR packages in sandbox

#4 2017-02-23 20:02:37

Re: Install and run AUR packages in sandbox

#5 2017-02-23 22:51:22

Re: Install and run AUR packages in sandbox

#6 2017-02-23 23:05:48

Re: Install and run AUR packages in sandbox

Board footer