[nl]

Ha.

I wrote about a ZeroVM-on-Docker thing I was working[1] on in another thread just before this story showed up.

Note that ZeroVM isn't a conventional VM at all. All your software needs recompiling for it, and it is entirely deterministic (with all the positive and negative aspects of that).

For one set of use-cases this is very useful. I was looking at using it to run untrusted user-submitted, and potentially hostile code when a Docker container isn't sufficient on its own.

[1] https://news.ycombinator.com/item?id=8107151

[walterbell]

See also the "Containers don't contain" talk from RedHat at DockerCon:

http://blog.docker.com/2014/07/new-dockercon-video-docker-se...

http://opensource.com/business/14/7/docker-security-selinux

[nl]

The SELinux talks looks interesting. I spent a while trying to get SELinux and Docker working together[1]. I'll need to watch that.

[1] https://groups.google.com/forum/#!searchin/docker-user/SELin...

[walterbell]

Does anyone use AppArmor in production? It isn't very visible.

Future hardware isolation: http://css.csail.mit.edu/6.858/2013/readings/intel-sgx.pdf

[nl]

You may find MBox interesting:

Mbox is a lightweight sandboxing mechanism that any user can use without special privileges in commodity operating systems.

http://pdos.csail.mit.edu/mbox/

I had trouble running it in Ubuntu because of AppArmor..

[walterbell]

Thanks. Looks like one of those voluntary rootkits that installs defensive code in a role that malware has been known to occupy. It's a good sign for AppArmor that it prevented it from running :)

[nl]

I wouldn't have said it was much like a rootkit. It's more akin to a container or a chroot, except run without special permissions.

What am I missing? (Or is it just that some rootkits use ptrace/Seccomp?)