|
|
|
|
|
|
by nix23
1527 days ago
|
|
|
>SELinux is also a bad example No why? If you have the right (and correct) rules, SELinux absolutely act's as a "sandbox", that's exactly what i meant, a sandbox don't need's to be another layer of software. Run in your "namespace", can just create/access/execute/read your port, files, memory..that's it, that's a sandboxed application. For example that "namespace-sandbox" is standard in Plan9/9front...without any additional software, just the filesystem and 9p. https://dwalsh.fedorapeople.org/SELinux/Presentations/sandbo... |
|
|
>For example that "namespace-sandbox" is standard in Plan9/9front...without any additional software, just the filesystem and 9p.
This is what I mean, Plan9 style mount namespaces are also available in Linux and are preferable to SELinux for containers and sandboxes because they're actually simpler and less trouble.