Support additional isolation features

[nicoonoclaste]

Would you consider PRs that add support for Linux sandboxing features that are complementary to namespaces, such as MAC (via AppArmor, for example) and seccomp filters?

This would enable using unshare to build safe(r) sandboxes, by limiting the exposed attack surface on the rest of the system, esp. the kernel.

[tailhook]

Probably yes, if this either requires complex initialization in child process before exec, or has complex interactions between current features and MAC (I'm not familiar with how MACs work). We may put it under a feature gate if it requires new dependencies, though.

Integrating seccomp is on my to do list, but I'm not going to do it soon. So yes, contributions are welcome.

[pwFoo]

I play with / build a minimal container runtime host without featues like AppAmor or SELinux.
At the moment I use crun / runc as runtime.
Also played a little bit with busybox unshare, but it was possible to break out of the namespaced environment?

Is there a security feature implemented to prevent access to /sys and /proc from inside of a container created with your unshare?

[tailhook]

Is there a security feature implemented to prevent access to /sys and /proc from inside of a container created with your unshare?

Not exactly. But you can either change the user or change the user and create a user namespace (to become root in a new namespace) or you can use libmount (or any other mount sycall wrapper) to hide/configure these directories.

Sorry for late reply.