Last active
January 13, 2016 08:37
-
-
Save jplitza/88ad88b0ed7d7ccdd88b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| CMD="${@:-bash}" | |
| unshare -unpirf --mount-proc sh -c ' | |
| hostname sandbox | |
| TMPNAME=$(mktemp -d) | |
| # replace /dev by minimal dummy version | |
| mount -t tmpfs -o nosuid,mode=755 none $TMPNAME | |
| for dev in null zero full random urandom console tty; do | |
| touch $TMPNAME/$dev | |
| mount --bind /dev/$dev $TMPNAME/$dev | |
| done | |
| mount --move $TMPNAME /dev | |
| # Make some symlinks | |
| ln -s null /dev/kmsg | |
| ln -s /proc/self/fd/0 /dev/stdin | |
| ln -s /proc/self/fd/1 /dev/stdout | |
| ln -s /proc/self/fd/2 /dev/stderr | |
| # save a r/w bind mount of our original cwd | |
| if [ "${PWD#/home}" != "$PWD" ]; then | |
| mount --bind "$PWD" $TMPNAME | |
| fi | |
| # make /home read-only | |
| mount -o remount,bind,ro /home | |
| # restore the original r/w cwd | |
| if [ "${PWD#/home}" != "$PWD" ]; then | |
| mount --move $TMPNAME $PWD | |
| fi | |
| # shadow temporary filesystems with fresh copies | |
| mount -t tmpfs -o nosuid,nodev,noexec,mode=755 none /run | |
| mount -t tmpfs -o nosuid,nodev none /var/tmp | |
| if [ "${PWD#/tmp}" != "$PWD" ]; then | |
| mount -t tmpfs -o nosuid,nodev none $TMPNAME | |
| mkdir -p "$TMPNAME${PWD#/tmp}" | |
| mount --bind "$PWD" "$TMPNAME${PWD#/tmp}" | |
| mount --move $TMPNAME /tmp | |
| else | |
| rmdir $TMPNAME | |
| mount -t tmpfs -o nosuid,nodev none /tmp | |
| fi | |
| # refresh cwd handle | |
| cd "$PWD" | |
| # get lost of uid 0 by starting yet another user namespace | |
| exec unshare -U '"$CMD" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment