On Wed, Jul 12, 2017 at 01:53:23PM +0200, Kevin Kofler wrote: > It is clear that confining applications to a container helps sandboxing a > lot. But there ought to be a way to do it without physically duplicating > everything. How about building a virtual file system view (file system > namespacing exists in the kernel these days, doesn't it?) that contains a > read-only view of the system /usr (and possibly other needed directories), > together with other directories mounted off a container image or a tmpfs? It's already possible to some extent with systemd directives, for system applications: DynamicUser=yes or dedicated user with User=, + InaccessiblePaths to "subtract" + BindReadOnlyPaths to "add", and PrivateTmp/Private*/ProtectSystem + SystemCallFilter to implement the sandbox. (Or maybe RootImage or RootDirectory should be used to construct the visible file system from scratch, binding in "external" stuff using BindPaths and BindReadOnlyPaths. Dunno.) Of course none of this is competition for flatpack currently, because it's not automatized and requires privileges. It would be interesting how to see how far this can be taken. Zbyszek _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
