Does anyone have good, modern material on defenses against chroot jailbreaks?
-
-
@pcwalton Dropping CAP_SYS_CHROOT should suffice; chrooted processes can't use CLONE_NEWUSER. Possibly for that specific reason.Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
@pcwalton (Docker libcontainer unshares mount and does pivot_root and/or mount --move; I don't fully understand what all is going on there.)Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
@pcwalton (I should add that unprivileged containers *are* nestable, apparently; I was trying to find out how they avoided chroot.)Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.