Y
Hacker News
new
|
ask
|
show
|
jobs
by
NewJazz
649 days ago
If it is running as root, can't it just manipulate its mount namespace at will? Mount devtmpfs, then mount user partitions.
2 comments
hackernudes
649 days ago
I believe one can use "capabilities" and seccomp to lock down a superuser process.
link
superb_dev
649 days ago
Systemd can put it in its own namespaces, like a container
link