this post was submitted on 06 May 2026
1 points (100.0% liked)

Security

2082 readers
1 users here now

A community for discussion about cybersecurity, hacking, cybersecurity news, exploits, bounties etc.

Rules :

  1. All instance-wide rules apply.
  2. Keep it totally legal.
  3. Remember the human, be civil.
  4. Be helpful, don't be rude.

Icon base by Delapouite under CC BY 3.0 with modifications to add a gradient

founded 2 years ago
MODERATORS
Vacant@programming.dev
1
Your Container Is Not a Sandbox (emirb.github.io)
submitted 4 days ago by codeinabox@programming.dev to c/security@programming.dev
5 comments fedilink hide all child comments
top 5 comments
sorted by: hot top controversial new old
[–] Neptr@lemmy.blahaj.zone 0 points 4 days ago (2 children)

For a proper sandbox (but also not a VM) on Linux, use Sydbox (or syd-oci). Virtual machines are an obvious choice, like said in the article, but a sandbox offers less overhead. The other issue with a VM is that, while it does isolate the guest from direct access to host resources, it doesn't stop the guest from doing whatever it wants (in the guest OS). The compromised guest could still attack the host or other network attached devices. Virt guests should still be configured with least privilege using a MAC (like SELinux or SMACK), or/and a sandbox policy (like with syd-oci).

[–] moonpiedumplings@programming.dev 0 points 4 days ago

Syd's architecture is similar to gvisor, mentioned in the article. It has similar tradeoffs, although I suspect it is more performant (can't find benchmarks) since it is written in rust, rather than go.

Gvisor has some significant performance hits: https://gvisor.dev/docs/architecture_guide/performance/ . microvm/cloud hypervisor/ other vm solutions, with kvm, are around a 95% performance.

[–] Kissaki@programming.dev 0 points 4 days ago* (last edited 4 days ago) (1 children)

That's some excessive text linking in the README I've not seen before. More blue than white, and three word-links one after another.

Quite the contrast to the "only" three footnotes.

[–] Neptr@lemmy.blahaj.zone 0 points 4 days ago (1 children)

Is that a bad thing? I personally like links to where I can learn more.

[–] moonpiedumplings@programming.dev 0 points 4 days ago* (last edited 4 days ago)

I don't. Many of the terms are easily searchable, and it's frustrating to click on one of them expecting to see syd-specific documentation about a topic or usecase only to see a generic post about a login shell (one of the links). It's trivial to highlight something and then right click and "Search DuckDuckGo for "highlighted term"" (firefox right click menu) nowadays. A search for "Login Shell Linux" nets that link they put in their documentation as literally the first result.

~~I wish they only actually linked syd's internal documentation, maybe to stuff like the LWN articles explaining some of their design decisions~~

Actually some of the links are easter eggs and they are pretty funny. Those can stay ig.