capability use (without using ambient capabilities): non-ambient capabilities are not inherited across execve(2) unless the file being executed has POSIX file capabilities. Ambient capabilities (the --ambient flag) fix capability inheritance across execve(2) to avoid the need for file capabilities.
seccomp: a meaningful seccomp filter policy should disallow execve(2), to prevent a compromised process from executing a different binary. […]
That really sums up what I hate about Linux security. It’s a bunch of unrelated features with no coherent design, which often interact poorly, and you need to use more than one of them to achieve any useful security policy. Compare it with, for example, jails and capsicum on FreeBSD: each can be used in isolation, each provides clear security properties, and they are orthogonal for composition so you get defence in depth if you use both.
It resembles a lot with bubblewrap, although I think
minijailis a bit more advanced in the options it presents.In fact I think (by reading the documentation of
minijail) that their main use-case is security isolation, meanwhilebwrapis more about portability.Just the previous day I was toying with
bwrapto start a container without Podman / Docker. I’m curios howminijailworks for this use-case.A better explanation of the implementation than the about page:
That really sums up what I hate about Linux security. It’s a bunch of unrelated features with no coherent design, which often interact poorly, and you need to use more than one of them to achieve any useful security policy. Compare it with, for example, jails and capsicum on FreeBSD: each can be used in isolation, each provides clear security properties, and they are orthogonal for composition so you get defence in depth if you use both.