alt Hacker Newsboth Docker and bubblewrap are not secure sandboxes. the only way to have actually isolated sandboxes is by using VMs
disclaimer: i work on secure sandboxes at E2B
Replies
senko • yesterday at 8:59 PM
No disagreement from me. From the article:
> Bubblewrap and Docker are not hardened security isolation mechanisms, but that's okay with me.
Edit to add: my understanding is the major flaw in this approach is potential bugs in Linux kernel that would allow sandbox escape. Would appreciate your insight if there are some easier/more probable attack vectors.
its-summertime • yesterday at 9:36 PM
Do you have more information on how to set up such VMs?
➕ show 1 reply
What about cgroups? I know they are not exactly analogous, but to me that seems like a pretty decent solution.