this post was submitted on 06 May 2026
29 points (93.9% liked)

Security

2077 readers
16 users here now

A community for discussion about cybersecurity, hacking, cybersecurity news, exploits, bounties etc.

Rules :

  1. All instance-wide rules apply.
  2. Keep it totally legal.
  3. Remember the human, be civil.
  4. Be helpful, don't be rude.

Icon base by Delapouite under CC BY 3.0 with modifications to add a gradient

founded 2 years ago
MODERATORS
Vacant@programming.dev
29
Your Container Is Not a Sandbox (emirb.github.io)
submitted 2 days ago by codeinabox@programming.dev to c/security@programming.dev
7 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] Neptr@lemmy.blahaj.zone 3 points 1 day ago (6 children)

For a proper sandbox (but also not a VM) on Linux, use Sydbox (or syd-oci). Virtual machines are an obvious choice, like said in the article, but a sandbox offers less overhead. The other issue with a VM is that, while it does isolate the guest from direct access to host resources, it doesn't stop the guest from doing whatever it wants (in the guest OS). The compromised guest could still attack the host or other network attached devices. Virt guests should still be configured with least privilege using a MAC (like SELinux or SMACK), or/and a sandbox policy (like with syd-oci).

[–] Kissaki@programming.dev 2 points 1 day ago* (last edited 1 day ago) (3 children)

That's some excessive text linking in the README I've not seen before. More blue than white, and three word-links one after another.

Quite the contrast to the "only" three footnotes.

[–] Neptr@lemmy.blahaj.zone 1 points 1 day ago (2 children)

Is that a bad thing? I personally like links to where I can learn more.

[–] moonpiedumplings@programming.dev 2 points 1 day ago* (last edited 1 day ago)

I don't. Many of the terms are easily searchable, and it's frustrating to click on one of them expecting to see syd-specific documentation about a topic or usecase only to see a generic post about a login shell (one of the links). It's trivial to highlight something and then right click and "Search DuckDuckGo for "highlighted term"" (firefox right click menu) nowadays. A search for "Login Shell Linux" nets that link they put in their documentation as literally the first result.

~~I wish they only actually linked syd's internal documentation, maybe to stuff like the LWN articles explaining some of their design decisions~~

Actually some of the links are easter eggs and they are pretty funny. Those can stay ig.

load more comments (1 replies)
load more comments (1 replies)
load more comments (3 replies)