looks like Linux will get an AT_BENEATH flag for filesystem ops, enabling code to sandbox itself without using namespaces :)
LKML thread: https://lkml.org/lkml/2017/4/29/124 … ; somewhat similar to David Drysdale's old O_BENEATH proposal
-
-
So this is the fs-restriction part of chroot(2), right?
-
kinda. unlike Linux chroot(2), it'll probably provide usable security guarantees, and you can restrict yourself to multiple dirs at once
- 3 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.