(no title)
l0kod
|
1 year ago
Namespace are very useful to build virtual environments, but I think it's important to keep in mind that they are not designed for sandboxing and don't provide security guarantees (e.g. mount point propagation), nor fine-grained access rights, nor security events (e.g. logs)... which might be OK according to use cases. Also, namespaces increase the attack surface of the kernel (e.g. vulnerabilities that can be reached through user namespaces). That being said, even if Landlock can control the most important filesystem access rights, not all of them are supported yet. New kernel releases bring new Landlock features (e.g. IPC, network control). It takes some time to build a new and safe access control system but we'll get there!
No comments yet.