zlacker

[parent] [thread] 3 comments
1. OutOfH+(OP)[view] [source] 2026-02-07 03:00:58
Docker and other container runners allow it. https://containers.dev/ allows it too.

https://github.com/microsoft/litebox might somehow allow it too if a tool can be built on top of it, but there is no documentation.

replies(1): >>simonw+X4
2. simonw+X4[view] [source] 2026-02-07 04:05:39
>>OutOfH+(OP)
Every time I use Docker as a sandbox people warn me to watch out for "container escapes".

I trust Firecracker more because it was built by AWS specifically to sandbox Lambdas, but it doesn't work on macOS and is pretty fiddly to run on Linux.

replies(2): >>OutOfH+8U >>its-su+og2
◧◩
3. OutOfH+8U[view] [source] [discussion] 2026-02-07 14:59:25
>>simonw+X4
I think ChatGPT can do a much better job than I can for guiding how to safely use Docker as a sandbox: /share/69875282-1e38-8012-b627-7c0a678f9365

It's not industrial-grade safety for public use, but it'll do for personal use. Other tools for it are also mentioned.

◧◩
4. its-su+og2[view] [source] [discussion] 2026-02-07 23:47:22
>>simonw+X4
Outside of VM usage, the answer seems to be (on top of containerization and selinux) writing a tight seccomp filter.

Gleaned from https://github.com/containers/bubblewrap/blob/0c408e156b12dd... and https://github.com/containers/bubblewrap/tree/0c408e156b12dd...

[go to top]