|
|
|
|
|
|
by _cenw
1110 days ago
|
|
|
What would an application do that is more secure than namespaces+cgroups? Containers absolutely are a security tool (especially if you configure your capabilities and don't use PID 1), one with a security tradeoffs compared to real virtualization, sure, but you're not going to do that on a VPS. Docker (or Podman) is just a tool that sets up some linux primitives for you. One with a track record and volume of users that'd make me trust it over things that specifically advertise themselves as "security sandboxes" (i.e. firejail, who had some extremely funny basic exploits to get root from their SUID'd binary). You can even pair containers with user namespaces now and get the fakeroot equivalent of containers. |
|
|
Object capabilities, which is what Sandstorm/Cap’n Proto are based on, provides much more security than Mandatory Access Control systems while also providing a much simpler method for getting there.
Sadly the literature on OCAP is fairly poor, often being either too low level or too abstract.
The tl;dr is that OCAP systems work by assuming an application has no functionality whatsoever, and then must be passed (not sandboxed but passed) functionality, either at start time, or when the application requests it.
The easiest way to understand it is imagine if instead of being able to open a file on the filesystem by path, you had to specifically be passed the file descriptor by the OS, possibly before runtime.
Another way to think about it is thinking about the OAuth2 capabilities that you can grant an application. You authorize an application to have certain capabilities, and then the client is handed back a set of API tokens or addresses. Those are the only way it can exercise those capabilities.
It's not being sandboxed, it simply doesn't have any additional way to get access.