Arch Linux

@promike, @piluke

It appears the problem is the link structure of the various lib folders is not recreated correctly in chroot.

In the host /lib is a symlink to /usr/lib, which contains ld-linux.so.2, which is a link to ../lib32/ld-linux.so.2 (resolved correctly to the actual location /usr/lib32/ld-linux.so.2)

In the chroot environment, however, /lib is not a symlink, resulting in /lib/ld-linux.so.2 being a broken link and as a result 32-bit applications do not load.

Having said that, I'm not sure how to solve the problem. I don't know of any way to recreate the /lib symlink from sandfox and I'm not willing to modify the symlinks set up by the system within.

Any ideas?

@promike I'm having the same problem but I haven't made any changes to the defaults. I have a /lib32 folder but all of the required libraries listed from ldd exist in the chroot. Has anyone found a fix for it?

I have a 64bit machine and sandfox doesn't work that well with skype.

After sudo sandfox --verbose --profile=skype; sandfox skype
I get /usr/bin/skype: line 13: /usr/lib32/skype/skype: No such file or directory. I can confirm I have a skype file in the /mnt/sandfox/skype/usr/lib32/skype directory.
Needless to say skype works without sandfox.
The only change what I have made is in the default and skype profile. I have no /lib32 folder, I have /lib and /lib64.I commented out that one (and I add /lib) and lastly the echo $user gives me nothing, so I changed them to $USER.
Does anyone know what the problem is? I can't figure it out

@scattbrain: it should be fixed

I don't know if is related to you, however... using the git describe function to retrieve the pkgver the obtained value is "gdad04f9" while the $pkgver in the manifest is "20131018". So my AUR helper (pacaur) thinks the package was updated every time

Thanks for the PKGBUILDs and sorry for the delay. I have changed it to XOrg's one but haven't tested it. I'm going to orphan this now in case anyone wants to maintain it. If it's not picked up then I'll own it again next time I need to make a change.

I left the --depth 1 in but if that is causing problems with this new PKGBUILD it can be removed.

I have written a new PKGBUILD : https://gist.github.com/X0rg/5983234
It is more in harmony with : https://wiki.archlinux.org/index.php/Arch_CVS/SVN_PKGBUILD_guidelines

Seems that the --depth 1 is breaking it for me here, breaks the build.

Cleaned up PKGBUILD a little:

https://gist.github.com/7b252ea656b38b858cb3

Simple shell script that work flawlessly.

Script create in /mnt/sandfox profiles, which mount read-only binaries (/bin, /etc, /lib, /usr, /var/lib), create new home dir and access to shared /tmp.

Never know that chrooting could be so simple.

@Army: Thanks - I'll test that with the next update.

I cleaned up your PKGBILD a little bit http://codepad.org/MC0Sb9PR

> Would it be possible to have an option so that when it ran it had no write access to anything beyond ram?

That is as simple as modifying the default profile so it includes only bindro, copy, and hide binds. See the webpage for details on the different kinds of binds. As far as what programs you would be able to run in such a sandbox, that will vary, but in general you can construct entirely or mostly read-only sandboxes. For example firefox needs write access to ~/.mozilla, but you can use a copy bind to provide that.

Would it be possible to have an option so that when it ran it had no write access to anything beyond ram?

@virtuemood
This error has been converted to a warning in Sandfox 1.0.2. The best solution is to remove /var/lib/mlocate from both the default and firefox profiles if it doesn't exist on your system. The error (now a warning) is caused by /var/lib being bindro and /var/lib/mlocate not existing. Also, 1.0.2 corrects a problem with hide for a non-existent target (makes it a folder as it should be rather than a file mount point). Thanks for your feedback.
Also, please bring issues not related to the AUR package installation to this forum thread instead...
http://bbs.archlinux.org/viewtopic.php?id=90152

ERROR:
sudo sandfox --profile firefox --verbose

Processing hide /var/lib/mlocate
touch: cannot touch 『/mnt/sandfox/firefox/var/lib/mlocate』: Readonly filesystem
>>> mount --bind "/dev/null" "/mnt/sandfox/firefox/var/lib/mlocate"
mount: mount point /mnt/sandfox/firefox/var/lib/mlocate does not exist
>>> mount -o remount,noatime,nosuid "/mnt/sandfox/firefox/var/lib/mlocate"
mount: can't find /mnt/sandfox/firefox/var/lib/mlocate in /etc/fstab or /etc/mtab
sandfox: Error: bind mount failed on /mnt/sandfox/firefox/var/lib/mlocate

I fix this error by touch /var/lib/mlocate out of the sandbox .

aah... sorry, my fault - i totally forgot about some device (/dev/dri/card0) that i was using long time ago, strange that the error occurred now... Anyway thanks :)

Please try running it with --verbose Perhaps one of the mount points is causing it to hang, so make a note of the last line before it stops responding. It would probably be best to continue this discussion on the forum thread below - thanks.
http://bbs.archlinux.org/viewtopic.php?id=90152

Im using [testing] repo, and after recent update (with kernel 2.6.34) sandfox cannot run properly. This is strange cuz all works fine with my own 2.6.34-rcX kernel.
No matter what i used - your daemon script, or just with:
sudo /usr/bin/sandfox --profile firefox
/usr/bin/sandfox firefox || return 1

it stops to initiate after giving those lines @ console:
Loading profile "default"
Loading profile "firefox"
Creating new sandbox "firefox"

Although it looks like its creating/copying all needed directories correctly to /mnt/sandfox.
Removing /mnt/sandfox/* and starting sandfox again gives nothing.