Re: Article: State of Sandboxing in Linux

[Ali Polatel <alip () hexsys org>]

On Monday, November 25th, 2024 at 00:12, Evan Carroll <me () evancarroll com> wrote:

> A lot of words on that one,
>
> Not sure if you're the author of the paper. But off the get go, I'm
> extremely confused. I wanted to give my critique on the paper instead of
> the technology. My experience with "user-space sandboxing" is kernel
> user-namespaces. My interface to them is podman. It's not clear what this
> "sandbox" offers that podman's rootless mode does not. I believe I'm in the
> majority with experience in containerization. But you're grounding this
> paper in "two prime examples of sandbox: Gentoo's sandbox and Exherbo's
> sydbox" -- things most people have probably never used. This for me raises
> the question: when would I want "Gentoo's sandbox and Exherbo's sydbox"
> over kernel user-namespaces and podman?

You're comparing apples and oranges. podman is a container engine that gives
you isolation. You can use a sandboxing solution on top, such as gVisor or
syd-oci to provide a security boundary.

> I don't see that answer immediately and so my desire to continue reading
> drops significantly. This is only constructive criticism, maybe I'm not
> your desired audience but the title was interesting enough for me to jump
> in.

I appreciate your feedback regardless. I can see how the article may have been
confusing for you. However that confusion stems from an important misunderstanding:
Namespaces provide isolation, not necessarily security.

> --
> Evan Carroll - me () evancarroll com
> System Lord of the Internets
> web: http://www.evancarroll.com
> ph: 281.901.0011 <+1-281-901-0011>

Best regards,
Ali Polatel

Attachment: publickey - alip@hexsys.org - 0xC22DA9DE.asc
Description:

Attachment: signature.asc
Description: OpenPGP digital signature