On Fri, May 6, 2016, at 04:51 PM, Muayyad AlSadi wrote:
> What I'm considering is not a complex daemon/service that create the
> container but just create veth pair.
> Unc proof of concept uses two separated binaries unc that creates
> container and unet which is the setuid that configure it'
What I'm considering is not a complex daemon/service that create the
container but just create veth pair.
Unc proof of concept uses two separated binaries unc that creates container
and unet which is the setuid that configure it's network
https://github.com/LK4D4/unc?files=1
Do you think splitti
On 05/06/2016 03:46 PM, Muayyad AlSadi wrote:
long long ago we had this <
https://fedoraproject.org/wiki/Features/RemoveSETUID
Yes I remember the guy that did that... The idea there was to take
advantage of File System Capabilities. I believe bubblewrap is
currently using
them although it
long long ago we had this <
https://fedoraproject.org/wiki/Features/RemoveSETUID
> There is probably a good case to be made that setuid is more security
then a random service that can setup
I totally agree, but my humble (maybe ignorant and less informed) idea is
something like pam_oddjob_mkhomed
There is probably a good case to be made that setuid is more security
then a random service that can setup
processes into different cgroups/namespaces, security zones.
setuid allows you to maintain the fork() exec() model, and keep things
simple.
On 05/06/2016 01:49 PM, Muayyad AlSadi wrote
why setuid? why not just do the non-privileged part, then fire a dbus event
to some root service to do the privileged part of adding network config.
(and uses policy kit to validate the request).
or a root daemon that do the privileged part of network configuration.
so in summary
an unprivileged
On Thu, May 5, 2016, at 02:10 PM, Josh Berkus wrote:
> So I want to have a "Pop the Bubblewrap" contest which we discussed
> somewhere else. That is, let's put out a contest for users to try to
> break through bubblewrap and report the technical issues. We'll have
> some prizes.
One thing I'd s
On 06/05/16 00:52, Daniel J Walsh wrote:
>
>
> On 05/05/2016 02:10 PM, Josh Berkus wrote:
>>> Currently it is not part of a product and has not has a rigorous
>>> review from a security team. However, I believe our approach
>>> is good, and if anyone wants a peer-reviewed setuid binary
>>> for c
On 05/05/2016 02:10 PM, Josh Berkus wrote:
Currently it is not part of a product and has not has a rigorous
review from a security team. However, I believe our approach
is good, and if anyone wants a peer-reviewed setuid binary
for container features, it's worth considering bubblewrap!
So I w
> Currently it is not part of a product and has not has a rigorous
> review from a security team. However, I believe our approach
> is good, and if anyone wants a peer-reviewed setuid binary
> for container features, it's worth considering bubblewrap!
So I want to have a "Pop the Bubblewrap" con
10 matches
Mail list logo
