this post was submitted on 06 May 2026
21 points (92.0% liked)

Security

2077 readers
30 users here now

A community for discussion about cybersecurity, hacking, cybersecurity news, exploits, bounties etc.

Rules :

  1. All instance-wide rules apply.
  2. Keep it totally legal.
  3. Remember the human, be civil.
  4. Be helpful, don't be rude.

Icon base by Delapouite under CC BY 3.0 with modifications to add a gradient

founded 2 years ago
MODERATORS
Vacant@programming.dev
21
Your Container Is Not a Sandbox (emirb.github.io)
submitted 1 day ago by codeinabox@programming.dev to c/security@programming.dev
7 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] Neptr@lemmy.blahaj.zone 3 points 1 day ago (2 children)

For a proper sandbox (but also not a VM) on Linux, use Sydbox (or syd-oci). Virtual machines are an obvious choice, like said in the article, but a sandbox offers less overhead. The other issue with a VM is that, while it does isolate the guest from direct access to host resources, it doesn't stop the guest from doing whatever it wants (in the guest OS). The compromised guest could still attack the host or other network attached devices. Virt guests should still be configured with least privilege using a MAC (like SELinux or SMACK), or/and a sandbox policy (like with syd-oci).

[–] moonpiedumplings@programming.dev 0 points 22 hours ago (1 children)

Syd's architecture is similar to gvisor, mentioned in the article. It has similar tradeoffs, although I suspect it is more performant (can't find benchmarks) since it is written in rust, rather than go.

Gvisor has some significant performance hits: https://gvisor.dev/docs/architecture_guide/performance/ . microvm/cloud hypervisor/ other vm solutions, with kvm, are around a 95% performance.

[–] Neptr@lemmy.blahaj.zone 1 points 21 hours ago

The advantage of an application kernel is that it reduces the access a running application has to exploit the kernel. Sure, with a VM the guest runs its own kernel. But the KVM hypervisor is still in the host's kernelspace. Implementing syscalls in userspace while using a safer subset of the kernel's syscalls helps prevent certain attacks. The performance hit is real of course. But syd has different goals than gVisor because it prevents apps from running unless they are given the permissions to do so.

[–] Kissaki@programming.dev 1 points 1 day ago* (last edited 1 day ago) (1 children)

That's some excessive text linking in the README I've not seen before. More blue than white, and three word-links one after another.

Quite the contrast to the "only" three footnotes.

[–] Neptr@lemmy.blahaj.zone 1 points 1 day ago (2 children)

Is that a bad thing? I personally like links to where I can learn more.

[–] Kissaki@programming.dev 1 points 9 hours ago

I find the text harder to read, the more significant links and terms or aspects harder to identify, and the consecutive-words-links unable to identify without hovering.

I get the idea, but I think it can be done better, and if it's like this, between less and more, I prefer less - even if that means fewer references.

[–] moonpiedumplings@programming.dev 1 points 22 hours ago* (last edited 22 hours ago)

I don't. Many of the terms are easily searchable, and it's frustrating to click on one of them expecting to see syd-specific documentation about a topic or usecase only to see a generic post about a login shell (one of the links). It's trivial to highlight something and then right click and "Search DuckDuckGo for "highlighted term"" (firefox right click menu) nowadays. A search for "Login Shell Linux" nets that link they put in their documentation as literally the first result.

~~I wish they only actually linked syd's internal documentation, maybe to stuff like the LWN articles explaining some of their design decisions~~

Actually some of the links are easter eggs and they are pretty funny. Those can stay ig.