-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support additional isolation features #12
Comments
Probably yes, if this either requires complex initialization in child process before Integrating seccomp is on my to do list, but I'm not going to do it soon. So yes, contributions are welcome. |
I play with / build a minimal container runtime host without featues like AppAmor or SELinux. Is there a security feature implemented to prevent access to /sys and /proc from inside of a container created with your unshare? |
Not exactly. But you can either change the user or change the user and create a user namespace (to become root in a new namespace) or you can use Sorry for late reply. |
Would you consider PRs that add support for Linux sandboxing features that are complementary to namespaces, such as MAC (via AppArmor, for example) and seccomp filters?
This would enable using unshare to build safe(r) sandboxes, by limiting the exposed attack surface on the rest of the system, esp. the kernel.
The text was updated successfully, but these errors were encountered: