[cap-talk] Announce: Plash 1.18
Toby Murray
toby.murray at comlab.ox.ac.uk
Thu Jun 7 10:11:25 EDT 2007
On Wed, 2007-06-06 at 19:10 +0100, Mark Seaborn wrote:
> Plash 1.18 is now available.
Nice one. Congratulations. It's great to see Plash evolving.
> The major new feature is the packaging system, for running programs
> from Debian packages in sandboxes. This is able to run a number of
> programs such as Firefox and Evince. See
> <http://plash.beasts.org/wiki/PackageTools>.
Looking at that link and at http://plash.beasts.org/wiki/Story2 I'm
trying to figure out the mechanics of what's going on with the sandbox
construction.
Can you comment on the following guesses?
When a new package is installed (e.g. firefox) you pull down and install
all dependencies somewhere -- eg. /path/to/plash-sandboxes/firefox
This allows any (sandboxed) firefox instance to have all needed
dependencies available to it directly in its sandbox.
When launched, (sandboxed) firefox instance X is given copy-on-write
access to /path/to/sandbox/firefox so any changes it makes there do not
effect other (sandboxed) firefox instances
grants by the powerbox allow (sandboxed) firefox instance X to edit
files and have the changes appear in-place in the global filesystem
other grants -- e.g. copy-on-write grants to other parts of the
filesystem -- are not possible, so if (sandboxed) firefox instance X
tries to write to $HOME/somewhere and the user hasn't granted access via
the powerbox, the write will fail.
Is that about right?
If not, could you explain further or point me to a wiki page?
This is all exciting stuff.
Cheers
Toby
More information about the cap-talk
mailing list