6:36 a.m.
On Tue, Oct 05, 2021 at 11:46:39AM +0200, Michael Lausch wrote:
On Tue, Oct 5, 2021, 09:53 Adrian Reber <adrian(a)lisas.de>
wrote:
> On Mon, Oct 04, 2021 at 05:09:33PM +0200, Tobias Wendorff wrote:
> > I just had a talk with some LXC nerds.
> >
> > Their opinion is that unprivileged LXC is more secure than Docker and
> > similar solutions. These would translate the syscalls to userspace, to
> not
> > have a direct interface to the kernel. In LXC, the syscalls themselves
> would
> > have built-in namespace awareness in the kernel itself, but without a
> > translation layer.
> >
> > How does this statement relate to the security of a container running in
> > rootless Podman in a normal user? Could the "translation layer"
introduce
> > trouble?
>
> I am really confused about the translation layer you are mentioning I
> have not heard of it before.
>
Maybe seccomp with BPF filtering is meant.
There's the userspace notification mechanism which does something like
this.
Yes, I also thought that this might be it. But it is a LXD and not a LXC
feature if I remember it correctly.
Adrian