On Thu, 2017-02-02 at 19:32 +0200, Francisco Barbee wrote: > > So your advice for now would be to use grsecurity > kernel and forget all those jails and namespaces > until someone figure out proper security solution? I never said that... It simply doesn't make sense to base application sandboxes on user namespaces. That's all. Isolation can be exposed to unprivileged users without that insanity. Chromium has the best sandbox available for large applications like that, and it works fine without user namespaces. The tiny setuid binary barely adds attack surface vs. the enormous fully privileged attack surface of user namespaces. The chrome-sandbox binary can be contained by MAC too, if you use it.
Attachment:
signature.asc
Description: This is a digitally signed message part
