[arch-general] sandboxing
Bennett Piater
bennett at piater.name
Thu Feb 2 20:30:58 UTC 2017
On 02/02/2017 07:28 PM, Leonid Isaev wrote:
> I already described an approach when one always runs browsers, pdf readers,
> etc, inside an lxc container, as an unprivileged user. That container resides
> on a filesystem mounted with nosuid (so things like ping, su, sudo won't work),
> and has a locked root account. On top of that, it connects to a xephyr session
> running on the host, to avoid X11 sniffing attacks.
>
> I have been using such setup on all my desktops for over a year now. The only
> way to break out of such a container is a local kernel privilege escalation. Of
> course, having *privileged* userns *might* help because inside container UID=0
> will map to smth like UID=123456 on the host, but this doesn't seem worth doing
> given all the ussues with userns.
This sounds cool. Do you happen to have written that up somewhere? :)
--
GPG fingerprint: 871F 1047 7DB3 DDED 5FC4 47B2 26C7 E577 EF96 7808
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20170202/b1ace829/attachment.asc>
More information about the arch-general
mailing list