On Thu, May 15, 2014 at 1:17 PM, Ciaran McCreesh <ciaran.mccre...@googlemail.com> wrote: > On Thu, 15 May 2014 17:15:32 +0000 > hasufell <hasuf...@gentoo.org> wrote: >> Ciaran McCreesh: >> > Sandboxing isn't about security. >> > >> >> Sure it is. > > Then where do the bug reports for all the "security violations" > possible with sandbox go? >
There is a big difference between the sandbox utility (sys-apps/sandbox) and the network-sandbox/ipc-sandbox features. The former uses an LD_PRELOAD hack to intercept libc functions, and does not provide any security benefit. The latter options create separate namespaces in the kernel, which is probably a lot more secure.
