| ▲ | bigwheels 3 hours ago | |||||||
I use Leash [1] [2] for sandboxing my agents (to great effect!). I've been very happy with it, it provides strict policy-level control for all process-level + network-level activity, as well as full visibility and dynamic runtime controls via WebUI. Way better than bubblewrap imo. I originally saw it here on HN and have been hooked ever since. [1] Screenshot: https://camo.githubusercontent.com/99b9e199ffb820c27c4e977f2... [2] https://github.com/strongdm/leash Fun fact: Do you know what container / sandboxing system is in most widespread use? Not docker containers, certainly not bubblewrap, and not even full VMs or firecracker. It's Chrome tabs. | ||||||||
| ▲ | necovek an hour ago | parent | next [-] | |||||||
That's interesting, how does Chrome implement "sandboxing" in Windows and MacOS? For Linux, does it use the same underlying technology as Docker, Podman, LXD, LXC (cgroups, namespaces...)? Or is a custom "sandboxing" implementation not relying on system level functions (eg. a VM with restricted functions)? If the latter, I wonder if something like JRE or .NET CLR is still out there in larger numbers, but obviously, Chrome does have billions of users. | ||||||||
| ||||||||
| ▲ | observationist 2 hours ago | parent | prev [-] | |||||||
Using Chrome for anything seems like a security failure of itself. It's got great features, but damn do they come at a cost. | ||||||||