facadefs

2014-10-12 23:16 UTC
  • Xyne

Metadata

Description:

A FUSE-based filesystem sandbox.

Latest Version:

2012.12.24.1

Architecture:

  • any

Dependencies:

  • python2
  • python2-fuse

Arch Repositories:

  • [xyne-any]
  • [xyne-i686]
  • [xyne-x86_64]

AUR ID:

30482

Arch Forum ID:

81027

Tags:

FACADEFS(1)

Synopsis

facadefs [options]

facadefs <root> <cache> <mointpoint> [fuse options]

Description

FacadeFS (pronounced "fa├žade F S") is a FUSE-based filesystem sandbox. It enables the user to mount part of the filesystem (<root>) at a different node (<mountpoint>). The mountpoint will appear to mirror the root and will be modifiable but all modifications will be intercepted so that the root will remain unchanged. Modified versions of files and new files will be stored in the cache (<cache>) in a parallel hierarchy.

FacadeFS can also accept a configuration file which can be used to modify file permissions, hide files and even enable direct modification of the underlying files. See the configuration file section below.

Configuration File

The configuration file makes it possible to modify the presentation of the underlying filesystem. It is broken into separate sections:

[chmod]

This section can be used to change the apparent mode of files. This can include both increased and decreased privileges. The ability to increase privileges depends on the permissions of the running process. If the running process cannot read a file, it is not possible to elevate its privileges.

Each line should contain an octal integer followed by a path pattern (see below for path pattern syntax). The octal integer is in the format used by the chmod command. If the integer is preceeded with "+" or "-", it will be interpretted as a relative mask instead of an absolute mode. Here are some examples:

644 <pattern>
Attempt to change the mode of all files which match the pattern to 0644. This will increase or decrease permissions as necessary.
-111 <pattern>
Remove executable permissions for all files which match the pattern. As this is a reduction in permissions, it will always succeed for all files. Other permissions are not affected.
+002 <pattern>
Attempt to make all files which match the pattern writable for "others". Other permissions are not affected.

[dissociate]

This section contains a list of patterns, one per line. All files which match the pattern will appear to have been deleted in the mounted filesystem. This is useful for hiding files from the system.

Note that dissociating a directory also dissociates all of its contents.

Some paths should probably not be dissociated, such as /proc, /sys, /dev, etc. These contain information which may be necessary within the sandbox.

[live]

This section can be used to give the system direct access to the underlying files. All files matched by a pattern in this section can be directly modified through the mounted filesystem. This may be useful for /proc, /tmp, /var/log and others.

Extreme caution should be used when including this section in a configuration file. It you are not careful you may unintentionally negate all the benefits of the sandbox. Only use it if you know what you are doing and make sure that you test your patterns before using them for anything important.

Note that /dev/null, /dev/random and /dev/urandom are the only default "live" paths.

Path Patterns

There are three types of path patterns:

Regular Expressions

All patterns which begin with "regex:" will be treated as a regular expression. The regular expressions are interpretted using Python's re module and thus the user should consult the module's documentation to learn Python's regex syntax.

Globbing

All patterns which begin with "glob:" are treated as globbing patterns. The patterns are interpretted using Python's fnmatch module. As above, the user should consult the module's documentation for details.

Literal

Patterns which begin with "/" are interpretted as absolute paths. Each such path will match a single file only.

Configuration File Example

[chmod]
-222 glob:/home/*
644 regex:\.py$

[dissociate]
/etc
/usr/sbin

[live]
glob:/tmp/*

In order, this would remove write permissions (-222) of all files in /home, change the mode of all files that have names ending in ".py" to 644, remove /etc and /usr/sbin from the filesystem along with all contents, and make all files in /tmp live.

Options

--buffersize <size>
Set the internal buffersize for copying files.
-c <path>
Specify a configuration file.
--fuse-help
Display all FUSE options.
-h, --help
Display the help message.

FUSE Options

Use "--fuse-help" to display the complete list of FUSE options. Although FacadeFS allows the user to pass any option to FUSE, most of them should probably never be used. The following should be the most useful: -d, -f, -o allow_other, -o allow_root, -o nonempty, -o fsname=Name

All arguments to FUSE include "-o default_permissions". To enable "-o allow_other" or "-o allow_root", uncomment "user_allow_other" in fuse.conf.

Contact
echo xyne.archlinux.ca | sed 's/\./@/'
Feeds
Blog News
Validation
XHTML 1.0 Strict CSS level 3 Atom 1.0