← Back to context

Comment by vbezhenar

14 hours ago

Linux kernel is ridden with local privilege escalation vulnerabilities. This approach works for trusted software that you just want to contain, but it won't work for malicious software.

9 comments

vbezhenar

Reply
viraptor  14 hours ago

Ridden? There are issues from time to time, but it's not like you can grab the latest, patched Ubuntu LTS and escalate from an unprivileged seccomp sandbox that doesn't include crazy device files.

  • vbezhenar  14 hours ago

    Any sandbox technology works fine until it isn't. It's not like you could escape Java sandbox, but Java applets were removed from the browsers due to issues being found regularly. In the end, browser sandbox is one of the few that billions of people use and run arbitrary code there every day, without even understanding that. The only comparable technology is qemu. I don't think there are many hosters who will hand off user account to a shared server and let you go wild there.

    • viraptor  14 hours ago

      > Any sandbox technology works fine until it isn't.

      Tautology is tautology.

      > but Java applets were removed from the browsers

      Java applets provided more scope compared to the browser itself, not less. They're not really comparable to seccomp or namespaces.

      > hosters who will hand off user account to a shared server

      There's lots of CI or function runners that expose docker-like environments.

      1 reply →

    • graemep  12 hours ago

      > Java applets were removed from the browsers due to issues being found regularly

      Java applets were killed off my MS's attempt at "embrace, extent, extinguish" by bundling an incompatible version of Java with IE, and Sun's legal response to this.

      3 replies →

  • surajrmal  9 hours ago

    The Linux API surface is massive. And the fact it's written on C leaves lots of room for vulnerabilities. I don't think you need to reach for a VM, but without a slimmer kernel interface, it's difficult to trust the kernel to actually uphold its required duties in the face of adversaries. This is why folks push heavily for microkernels. Chrome needs to work incredibly hard to provide reliable sandboxing as a result.