Exploring what sandboxing can be achieved by an unprivileged user in Linux
This could complement https://appimage.org nicely, I think.
https://github.com/projectatomic/bubblewrap/blob/master/README.md describes binctr as “just a wrapper around runC”, is that accurate?
I’m no authority on this, but main.go seems to do a bit of setup and then call NewContainer, which I assume is from the referenced libcontainer fork mentioned in the post. She mentions in the README a link to a mailing list post with proposed changes to libcontainer, so presumably it wouldn’t work without them. However, this is over a year old, and labeled as a POC, so…its probable that all this was added to runc and this is now irrelevant.