[tptacek]

Not really; mbox uses seccomp-bpf to filter system calls, from userland, using unprivileged users. A very ambitious project to build on top of mbox might be an even lighter-weight Docker-alike using userland system call interposition instead of Linux containers.

[mbreese]

I'm calling it now - such a project should be called "Mocker".

Actually, this is really a good idea. I hadn't realized that non-root users can't start their own Docker images, which I think could be a killer application. Perhaps if the overhead from something like Mbox is low enough, this could be feasible. As it is, I'm not sure I'm willing to fork over the extra ~20% overhead, just to have my applications running in a sandbox, but this could be a good method to distribute complete environments.

[annnnd]

For some applications I would be more than willing to accept 20% overhead in exchange for perfect security. Still better than setting up dummy virtual boxes.

[justincormack]

Not sure it is perfect security. There are race conditions with ptrace sandboxes. Have not read the paper yet to see if they mitigate somehow with seccomp.

[jdiez17]

Non-root users can start their own Docker images, if you change the permissions on the UNIX socket.

[brokenparser]

You might as well give them password-less sudo. Also, why are you changing permissions on the socket at all? The default is 660 which seems perfectly fine to me, if it's currently 666 you just gave everything on your box free root access.

Read this https://github.com/dotcloud/docker/issues/1369