Aleksa Sarai
Aleksa Sarai
@deitch > I kid you not, I had to reread this several times before I was sure I got it. :-) Damn, I was trying to make it simpler to...
> I understand it, but it feels like it goes against the grain on Unix style streams and pipes. I start processes, they inherit stdio no matter how far down,...
@deitch [I am currently on vacation, so sorry for the brief response.] I believe what you wrote is effectively correct, but I'll read through it again when I have some...
Alright, we now have documentation. Time to fix this issue. I'll take a look at this again later this week.
No, I stared at the stall for a while and couldn't figure it out. My line of thinking was that there's something odd going on with how Go is copying...
Landlock is trying to solve a separate problem and doesn't really help with the libseccomp issues we have -- Landlock is a new LSM (Linux Security Module) and it's probably...
Well, that is the argument behind LSMs in general (they restrict access to kernel objects). However that assumes there are no bugs in the LSM -- what seccomp does is...
Well, landlock isn't upstream yet. But once it is I imagine we'd add support to it in the runtime-spec (just like we support SELinux and AppArmor today).
Yup, runtime-spec would be the next step but I'd need to look into what model we should use for supporting it (the AppArmor/SELinux "just give me the label" model is...
> After v1.13, Docker now generates docker-default in tmpfs, uses apparmor_parser to load it into kernel, then deletes the file. All of the AppArmor utils (aa-* on Ubuntu) expect a...