Lo and behold

http://ordiluc.net/fs/libetc/

I actually attempted using ptrace to rewrite syscalls first! It was... horribly painful, and didn't work anywhere near as well as the bind-mount version.

In the past I used something like inotab to use an inotify-based trigger to pipe data from SSH to a different system that didn't have any NAS or SAN support, it might also work to detect 'who' is touching any files that boxxy has previously seen rules for.

Perhaps still too tricky to make it do magic things and break programs in the process, but it could be used to audit who's working with what paths and let the user print a report so they know what apps to boxx up and make them behave.

That is an excellent idea! Something like could definitely be worth adding. It's why there's a "remount rootfs as ro" flag; that way anything not specified in rules is ro and misbehaving programs will explode.

Love exploding apps. That's what they get for eating my filesystem.

For a structured approach to ptrace/syscall rewriting, you could try FB's reverie. I worked on and used it during an internship a few years back; it's pretty amazing at what it does.

https://github.com/facebookexperimental/reverie

Fun fact, one layer of App Engine's sandbox from a couple years ago was implemented using ptrace. It will redirect filesystem IO to in-memory files.

Interesting! That makes perfect sense, I just don't think I'm smart enough to use ptrace properly right now :P

Were you mostly going off the ptrace man page? I tried reading it to figure out ptrace and it made me feel not smart enough too.

The man page + Google! There's very few good examples of it, and I've accepted that I'm just not familiar enough with that specific problem space.

Try checking out proot?