1. 4

    1. 2

      It resembles a lot with bubblewrap, although I think minijail is a bit more advanced in the options it presents.

      In fact I think (by reading the documentation of minijail) that their main use-case is security isolation, meanwhile bwrap is more about portability.

      Just the previous day I was toying with bwrap to start a container without Podman / Docker. I’m curios how minijail works for this use-case.

    2. 1

      A better explanation of the implementation than the about page:


      • capability use (without using ambient capabilities): non-ambient capabilities are not inherited across execve(2) unless the file being executed has POSIX file capabilities. Ambient capabilities (the --ambient flag) fix capability inheritance across execve(2) to avoid the need for file capabilities.
      • seccomp: a meaningful seccomp filter policy should disallow execve(2), to prevent a compromised process from executing a different binary. […]
      1. 2

        That really sums up what I hate about Linux security. It’s a bunch of unrelated features with no coherent design, which often interact poorly, and you need to use more than one of them to achieve any useful security policy. Compare it with, for example, jails and capsicum on FreeBSD: each can be used in isolation, each provides clear security properties, and they are orthogonal for composition so you get defence in depth if you use both.