-
security sandboxPricing:
- Open Source
I am just its (mostly happy) user. I wrote that rule on my phone so you are right, it is not complete. On the other hand raw sockets require CAP_NET_RAW capability which is often assigned to root only so running a capability-untreated binary as an unprivileged user should not allow any raw socket ops (ping often uses file capabilities or setuid root). AFAIK it requires root to load/reload profiles. And that is fine for me, my use-case is hardening of services running on my server. For ad-hoc restriction of untrusted software you can already use stuff like FireJail https://firejail.wordpress.com/ I just don't think a new syscall would be such a benefit but I am not the one to decide. :).
#Monitoring Tools #Email Marketing #Windows Virtualization 40 social mentions
-
Unprivileged sandboxing tool
How does this approach for sandboxing compare to the bubblewrap that uses namespaces? https://github.com/containers/bubblewrap.
#Monitoring Tools #Email Marketing #Windows Virtualization 23 social mentions