alt Hacker NewsEvery time I use Docker as a sandbox people warn me to watch out for "container escapes".
I trust Firecracker more because it was built by AWS specifically to sandbox Lambdas, but it doesn't work on macOS and is pretty fiddly to run on Linux.
Replies
OutOfHere • yesterday at 2:59 PM
I think ChatGPT can do a much better job than I can for guiding how to safely use Docker as a sandbox: /share/69875282-1e38-8012-b627-7c0a678f9365
It's not industrial-grade safety for public use, but it'll do for personal use. Other tools for it are also mentioned.
Outside of VM usage, the answer seems to be (on top of containerization and selinux) writing a tight seccomp filter.
Gleaned from https://github.com/containers/bubblewrap/blob/0c408e156b12dd... and https://github.com/containers/bubblewrap/tree/0c408e156b12dd...