Conversation

For the most part namespaces don't restrict what processes do. They gain capabilities via the kernel and other processes via file descriptors. Mount namespaces give them their own path hierarchy but don't sandbox their filesystem access. Similar for most other than userns.
2
And mount namespaces do sandbox filesystem access but you have to know how to use them. It involves bind mounting over things that should not be accessible (or that you want to interpose different content over) and then making a new nested namespace so they can't be undone.
2
That's changing what's accessible via paths, not sandboxing filesystem access. The program isn't restricted from accessing files passed to it from outside the sandbox in any way. If the user opens a file with an application via system UI, something is being passed to the app, etc
1
I have never once wanted a desktop app to "take a picture". If I want to take a picture with my webcam I'll do it with a native utility I trust then open the file. This is a general principle: vetted native apps for privileged things, 3p junk in a HARD sandbox.
1
Show replies