On 02/02/2017 07:28 PM, Leonid Isaev wrote: > I already described an approach when one always runs browsers, pdf readers, > etc, inside an lxc container, as an unprivileged user. That container resides > on a filesystem mounted with nosuid (so things like ping, su, sudo won't > work), > and has a locked root account. On top of that, it connects to a xephyr session > running on the host, to avoid X11 sniffing attacks. > > I have been using such setup on all my desktops for over a year now. The only > way to break out of such a container is a local kernel privilege escalation. > Of > course, having *privileged* userns *might* help because inside container UID=0 > will map to smth like UID=123456 on the host, but this doesn't seem worth > doing > given all the ussues with userns.
This sounds cool. Do you happen to have written that up somewhere? :) -- GPG fingerprint: 871F 1047 7DB3 DDED 5FC4 47B2 26C7 E577 EF96 7808
signature.asc
Description: OpenPGP digital signature
