What is the best way? Or at least, a better way?

I recall Shopify having a seccomp-based jail to run untrusted ruby code. But their use-case was very limited so they can get away with blocking almost every syscall.

Other than that... VMs? The fact that people consider JS/WASM engines good security sandboxes is a bit scary tbf.

▲

simonw 6 months ago | parent [-]

I trust a WASM sandbox a whole lot more than I trust a Docker container sandbox.

WASM engines run in almost every browser on earth, billions of times a day. Security problems in those get spotted very quickly.

	▲	babush 6 months ago \| parent [-]
		It's a bit hard to do comparisons without going into threat models and all that _fun_ stuff :shrug: For example, JS runs in almost every browser on earth too, yet it took V8 devs 2 years to find out that `Math.expm1()` could return -0.0 (https://chromium.googlesource.com/v8/v8.git/+/56f7dda67fdc97...). This is a cherry-picked example, and JS is clearly more complex than WASM, but still. Just because stuff runs on a lot of devices doesn't mean it's more or less secure. Linux runs on quite a few devices too, yet we still find bugs, people still don't ship updates to said bugs, yadda yadda yadda. My point is just that lots of devs often skip the threat modeling and just think "I'll slap it in a WASM thingie an it'll be fine". Well good luck.

▲

kissgyorgy 6 months ago | parent | prev | next [-]

Landlock, cgroups on Linux

▲

ehsanu1 6 months ago | parent | prev [-]

gVisor