| ▲ | ushakov 3 hours ago | ||||||||||||||||
both Docker and bubblewrap are not secure sandboxes. the only way to have actually isolated sandboxes is by using VMs disclaimer: i work on secure sandboxes at E2B | |||||||||||||||||
| ▲ | gf000 an hour ago | parent | next [-] | ||||||||||||||||
What about cgroups? I know they are not exactly analogous, but to me that seems like a pretty decent solution. | |||||||||||||||||
| ▲ | senko 3 hours ago | parent | prev | next [-] | ||||||||||||||||
No disagreement from me. From the article: > Bubblewrap and Docker are not hardened security isolation mechanisms, but that's okay with me. Edit to add: my understanding is the major flaw in this approach is potential bugs in Linux kernel that would allow sandbox escape. Would appreciate your insight if there are some easier/more probable attack vectors. | |||||||||||||||||
| ▲ | its-summertime 2 hours ago | parent | prev [-] | ||||||||||||||||
Do you have more information on how to set up such VMs? | |||||||||||||||||
| |||||||||||||||||