Comment by pritambaral
6 days ago
> https://github.com/ashishb/amazing-sandbox
Does your Docker backend run commands in rootless containers? I skimmed the code but didn't see anything to confirm this.
6 days ago
> https://github.com/ashishb/amazing-sandbox
Does your Docker backend run commands in rootless containers? I skimmed the code but didn't see anything to confirm this.
Right now, not. Eventually, they will.
You can pass your favorite rootless Docker image using `--custom-docker-image` CLI parameter.
I hope you see the (IMO, obvious) problem.
1. Docker (or any Linux container runtime, for that matter) is not intended for, designed for, or effective as a security boundary. 2. Root containers run as root on the host. The "sandboxed" processes have full capabilities, as far as the kernel is concerned with them.