Rodrigo Campos

Sorry, I was on PTO and super busy afterwards. I think for this case the chown the device might be fine. However, we can't chown _any_ device, so if that...

I know that runc currently doesn't do an mknod if inside a userns. I wonder what happens, though, if the device is allowed in the devices cgroup and we do...

Yeap, I know that part of the documentation, I wasn't sure if that still applies for CUSE devices. You have tried to mknod a CUSE device, right? If that doesn't...

Then using the pipe to communicate with runc parent should work, using the shifted uid/gid. Wanna do a PoC? I wonder if there is another option we can choose here,...

@cyphar thanks for long explanations, they really help :) About option 1, I'm not sure what this means: > I continue to maintain `github.com/cyphar/filepath-securejoin` and libpathrs in parallel, and users...

Thanks! I think options 1-3 are quite similar and even if we choose one, maybe over time we decide to do another and it won't cause a major hassle. I'm...

CI is failing today as its one of the planned outages before the runners are completely removed: https://github.com/actions/runner-images/issues/11101

> The alternative to that is use run explicitly: > > ```shell > run -0 runc start foo > ``` I like this better, it's also trivial to add taskset,...

> One issue is, we can't mix bash functions and binaries together, IOW something like `run -0 taskset xxx runc start foo` won't work. Why? I mean, if `runc` is...

A virtual TPM sounds interesting to me. Is there a runtime-spec PR for this already? That will be needed too. I haven't had a look at the code yet :)