[HN Gopher] Barco: Linux Containers from Scratch in C ___________________________________________________________________ Barco: Linux Containers from Scratch in C Author : lcvln Score : 106 points Date : 2023-08-06 19:47 UTC (3 hours ago) (HTM) web link (github.com) (TXT) w3m dump (github.com) | shortrounddev2 wrote: | Very cool, I was thinking of doing something similar in windows | semiquaver wrote: | What is the underlying isolation technology that would be used | in windows? | lcvln wrote: | barco is a project I worked on to learn more about Linux | containers and the Linux kernel, based on other guides on the | internet. | intelVISA wrote: | awesome, thx for sharing this :) | zamalek wrote: | > barco enforces a minimal set of restrictions to run untrusted | code, which is not recommended for production use, where a more | robust solution should be used. | | Aren't containers never suitable for running untrusted code? You | need AppArmor, bwrap, or similar AFAIK. | charcircuit wrote: | >Aren't containers never suitable for running untrusted code? | | They are suitable provided the kernel is secure. | cyphar wrote: | This is tautologically true -- "Is X secure? Yes, assuming | the technology X uses is secure." | | The more nuanced answer is that containers have several | layers of protections (seccomp, LSMs, user namespaces, | namespaces, cgroups, capabilities, and standard process | permissions by running as an unprivileged user) which all act | together to help protect against container attacks. It's not | perfect, but most container breakout attacks we've had so far | are related to when container runtimes have to operate on a | container during process setup (IMHO because the process for | creating a container process is far from atomic) -- some of | these attacks were enabled by kernel bugs which we went and | fixed as well. It is very difficult to break out of a | container once it has been configured and left alone. | loeg wrote: | I would probably point at a virtual machine for a convenient | place to run untrusted code. It's not perfect -- there are VM | escapes -- but it's more convenient than a dedicated, air- | gapped machine. | CameronNemo wrote: | GKE runs every kubelet in its own gvisor-like userspace | hypervisor. | | https://cloud.google.com/blog/products/containers- | kubernetes... | cyphar wrote: | bwrap is a container and AppArmor is used by basically every | container runtime if the system is using AppArmor (otherwise | they use SELinux). Seccomp is also enabled by default, and I | would argue it is a more significant protection against | container breakouts because it protects against kernel 0-days | as well and doesn't rely on LSM hooks to block operations. The | real question is whether you are using user namespaces. | | Jessica Frazelle ran a public bug bounty to break out of a | container image that is properly secured, and as far as I know | nobody collected the bounty. The website isn't up at the | moment, maybe she took it down. https://contained.af/ | jppittma wrote: | Sounds like free money to me. You just press Ctrl+D, and | you're out. | cyphar wrote: | Sadly that doesn't help you get access to the flag file you | need to collect the bounty. ;) | gjkood wrote: | Your project is not in the same space but do you forsee any | conflicts with the name regarding copyrights, trademarks etc with | Barco, Inc. [1], the projector/display company? | | [1] https://www.barco.com/en | CameronNemo wrote: | _Please don 't complain about tangential annoyances--e.g. | article or website formats, name collisions, or back-button | breakage. They're too common to be interesting._ | Philpax wrote: | GP was asking if it could cause an issue for the OP, not | complaining about an annoyance. It's something that the OP | may want to address. | CameronNemo wrote: | I still think it is tangential. The author stated that they | wrote this project to learn. The readme says that it is not | intended for production use and that there is no networking | set up in the containers. | | With that context, I doubt that name collisions outside of | the containers space are top of mind. | lcvln wrote: | barco really just means "hay barrack" in my native | language -\\_(tsu)_/- ___________________________________________________________________ (page generated 2023-08-06 23:00 UTC)