|
|
|
|
|
|
by abstract7
2523 days ago
|
|
|
Disabling unsafe and unnecessary sys calls in containers (not Docker) and forcing apps to communicate via API with capabilities management would let you do this now, I think. In fact, sandstorm.io is said to do all this. And it's open-source. I never used it, except the demo. And I'm not sure if its PowerBox (manages capabilities) is fully implemented. |
|
|