On 02/02/2017 07:28 PM, Leonid Isaev wrote:
I already described an approach when one always runs browsers, pdf readers, etc, inside an lxc container, as an unprivileged user. That container resides on a filesystem mounted with nosuid (so things like ping, su, sudo won't work), and has a locked root account. On top of that, it connects to a xephyr session running on the host, to avoid X11 sniffing attacks.
I have been using such setup on all my desktops for over a year now. The only way to break out of such a container is a local kernel privilege escalation. Of course, having *privileged* userns *might* help because inside container UID=0 will map to smth like UID=123456 on the host, but this doesn't seem worth doing given all the ussues with userns.
This sounds cool. Do you happen to have written that up somewhere? :) -- GPG fingerprint: 871F 1047 7DB3 DDED 5FC4 47B2 26C7 E577 EF96 7808