On Sun, Jul 23 2023 at 11:18:45 PM -0400, Demi Marie Obenour
<demiobenour@xxxxxxxxx> wrote:
Then the mount needs to be done in a sandbox, such as a KVM guest or
sandboxed userspace process.
Hmmm... I don't think traditional sandboxing accomplishes anything
here, because we're trying to protect against kernel bugs, not
userspace bugs, and if the kernel is compromised then you escape the
sandbox. A KVM virtual machine would solve that, certainly, but that
sounds really complicated to do? We don't have any precedent for
spinning up virtual machines to perform normal desktop operations.
Doesn't that require hardware support anyway? i.e. virtualization might
be disabled at the firmware level?
Michael
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
