6. Container & Sandboxing

Flatpak → OSTree Commits , combining..

GNOME

app / org.gnome.Sdk ← org.gnome.Platform/master ← org.freedesktop.Platform/23.08 ,, Minimal linux environment.

bwrap, sandbox environment.

No userspace process isolation so I can see /proc in host, with /proc/{pid}/root which listing it actaully shows me root inside sandbox. via mountinfo I can see it is bindmount from /newroot → /root.

/newroot is on tmpfs, meaning that there arent any actual ‘files’ mapped in host, so I cant find it.

/newroot is setted up by bwrap, no “base” image.

All flatpak commits, including Platform, is bind mounted to container’s folders. e.g. org.gnome.Platform’s files/ will be ro-mounted on /usr@container, and flatpak invokes bwrap with

symlink /bin /usr/bin, symlink /lib /usr/lib, mkdir /dev, mkdir /tmp, mkdir /sys, mkdir /app … without need of mounting image on root, but it sets up like minimal linux on embedded firmware (e.g. busybox linux)

App will be ro-binded in /app, platform will be ro-binded on /usr, user-data will be saved at XDGs, $HOME.

• BootC?

What is bootc? It is exactly same as ostree-native-containers, its original of that.

fakeroot

LD_PRELOAD, geteuid() → return 0. It fools program that uid is 0, but anyways user cant access to real root’s permissions. Just fooling programs that “only allows running as root internally”.

containered environment,

rootless → current user becomes root, any additional users inside container gets virtual uid, in host its just ghost id. real root becomes nobody and of course its not accessible by user.

In here we need “rooless” unpacking. Container Image fill have files with root ownership in their tar archive. So we need fakeroot to unpack image to filesystem, so that “root” files in tar to be extracted.

libc and compat layer..?