Description: | A FUSE-based filesystem sandbox. |
Latest Version: | 2012.12.24.1 |
Source Code: | src/ |
Architecture: |
|
Dependencies: |
|
Arch Repositories: |
|
AUR Page: | facadefs |
Arch Forum Thread: | 81027 |
Tags: |
facadefs [options]
facadefs <root> <cache> <mointpoint> [fuse options]
FacadeFS (pronounced “façade F S”) is a FUSE-based filesystem
sandbox. It enables the user to mount part of the filesystem
(<root>
) at a different node
(<mountpoint>
). The mountpoint will appear to mirror
the root and will be modifiable but all modifications will be
intercepted so that the root will remain unchanged. Modified versions of
files and new files will be stored in the cache
(<cache>
) in a parallel hierarchy.
FacadeFS can also accept a configuration file which can be used to modify file permissions, hide files and even enable direct modification of the underlying files. See the configuration file section below.
The configuration file makes it possible to modify the presentation of the underlying filesystem. It is broken into separate sections:
This section can be used to change the apparent mode of files. This can include both increased and decreased privileges. The ability to increase privileges depends on the permissions of the running process. If the running process cannot read a file, it is not possible to elevate its privileges.
Each line should contain an octal integer followed by a path pattern (see below for path pattern syntax). The octal integer is in the format used by the chmod command. If the integer is preceeded with “+” or “-”, it will be interpretted as a relative mask instead of an absolute mode. Here are some examples:
644 <pattern>
-111 <pattern>
+002 <pattern>
This section contains a list of patterns, one per line. All files which match the pattern will appear to have been deleted in the mounted filesystem. This is useful for hiding files from the system.
Note that dissociating a directory also dissociates all of its contents.
Some paths should probably not be dissociated, such as /proc, /sys, /dev, etc. These contain information which may be necessary within the sandbox.
This section can be used to give the system direct access to the underlying files. All files matched by a pattern in this section can be directly modified through the mounted filesystem. This may be useful for /proc, /tmp, /var/log and others.
Extreme caution should be used when including this section in a configuration file. It you are not careful you may unintentionally negate all the benefits of the sandbox. Only use it if you know what you are doing and make sure that you test your patterns before using them for anything important.
Note that /dev/null, /dev/random and /dev/urandom are the only default “live” paths.
There are three types of path patterns:
All patterns which begin with “regex:” will be treated as a regular expression. The regular expressions are interpretted using Python’s re module and thus the user should consult the module’s documentation to learn Python’s regex syntax.
All patterns which begin with “glob:” are treated as globbing patterns. The patterns are interpretted using Python’s fnmatch module. As above, the user should consult the module’s documentation for details.
Patterns which begin with “/” are interpretted as absolute paths. Each such path will match a single file only.
[chmod]
-222 glob:/home/*
644 regex:\.py$
[dissociate]
/etc
/usr/sbin
[live]
glob:/tmp/*
In order, this would remove write permissions (-222) of all files in /home, change the mode of all files that have names ending in “.py” to 644, remove /etc and /usr/sbin from the filesystem along with all contents, and make all files in /tmp live.
<size>
<path>
Use “–fuse-help” to display the complete list of FUSE options. Although FacadeFS allows the user to pass any option to FUSE, most of them should probably never be used. The following should be the most useful: -d, -f, -o allow_other, -o allow_root, -o nonempty, -o fsname=Name
All arguments to FUSE include “-o default_permissions”. To enable “-o allow_other” or “-o allow_root”, uncomment “user_allow_other” in fuse.conf.