Can't write to a mounted dir with write permissions

[erndob]

mkdir /testdir 
isolate --init
isolate --dir=testdir:rw -v --run -- /bin/touch /testdir/newfile
isolate --dir=testdir:rw -v --run -- /bin/touch /box/newfile

Trying to write to /testdir gives me a permission denied error, while writing to box is fine. They are bound with identical flags, I'm specificying "rw".

Binding ./box on box (flags 5006)
...
Binding /testdir on testdir (flags 5006)
/bin/touch: cannot touch '/testdir/newfile': Permission denied

Am I missing something?

[seirl]

testdir will not have the correct owner/group, it will just be bind mounted without affecting the dir permissions on the host. That's why you get the permission denied error.

/box is chowned automatically for you, so you don't get an error when doing it here.

[erndob]

Sorry if this is stupid question, I'm new to linux, any help is appreciated.

ls -l'ing the directories, they look the same, owned by root and in root group, same permissions.

Looking at the source code, it seems there's a chowntree command during the run, I don't understand how I can achieve something like this for my own folder.

What I would like to have is:

1. First sandbox is responsible for compiling/writing the files to a folder.
2. When the folder is ready, create multiple sandboxes mounting that folder in read mode, and run commands against it. The sandboxes read the files and run tests against it in parallel.

First I was trying to simply mount the box of the first sandbox, in another sandbox, but that gives "permission denied" error. So now I'm trying to make another folder that can be written to by one sandbox and read from other sandboxes, and having other permission issues.

[gollux]

Could you please tell us more about your use case?

So far, I do not understand your security model. Especially that you are running the programs in different sandboxes (which seems to imply that they do not trust each other), but you want to allow them to work on a common set of files (which implies that they do trust each other).

[erndob]

@gollux

Main thing here is control of memory/time.

I want to be able to run each unit test, with its own independent memory/time limits. And I want to have it running in parallel.

So isolate works well for it, it lets me easily control the resource limits for the sandbox, but I've been having issues with the parallel aspect of it.

First I've tried having parallel runs on the same sandbox, but it gave me intermittent errors with permissions. So now I'm trying to have multiple sandboxes mounting same folder instead, assuming that's valid and I won't end up with the same intermittent errors.

[erndob]

@gollux The current solution was working for a while, but I'm experiencing an issue again because swift apparently has a sqlite database in it's build, that is being written to when tests are run. So after all I need the write permissions for my compiled solution folder.

Is it even possible to have a custom folder mounted on multiple sandbox'es in parallel, with write permissions?

As mentioned, the sandbox here's is not necessarily for just trust, but to also control the resources. Each test case is run in it's own sandbox so that if resources are exceeded and the sandbox is killed, only the test case that did it fails, not impacting other test cases that are potentially working correctly, I believe this to be normal use case.

[gollux]

Sorry, but this is quite outside the problem domain which Isolate wants to solve. It is a sandbox for executing untrusted code, so the program inside the sandbox should be as isolated from the outside environment as possible. If you want to run trusted code, but with a time and memory limit, you are looking for a different solution.