zlacker

[parent] [thread] 2 comments
1. simonw+(OP)[view] [source] 2026-02-07 04:05:39
Every time I use Docker as a sandbox people warn me to watch out for "container escapes".

I trust Firecracker more because it was built by AWS specifically to sandbox Lambdas, but it doesn't work on macOS and is pretty fiddly to run on Linux.

replies(2): >>OutOfH+bP >>its-su+rb2
2. OutOfH+bP[view] [source] 2026-02-07 14:59:25
>>simonw+(OP)
I think ChatGPT can do a much better job than I can for guiding how to safely use Docker as a sandbox: /share/69875282-1e38-8012-b627-7c0a678f9365

It's not industrial-grade safety for public use, but it'll do for personal use. Other tools for it are also mentioned.

3. its-su+rb2[view] [source] 2026-02-07 23:47:22
>>simonw+(OP)
Outside of VM usage, the answer seems to be (on top of containerization and selinux) writing a tight seccomp filter.

Gleaned from https://github.com/containers/bubblewrap/blob/0c408e156b12dd... and https://github.com/containers/bubblewrap/tree/0c408e156b12dd...

[go to top]