Getting Towards Real Sandbox Containers
Containers are all the rage right now.
At the very core of containers are the same Linux primitives that are also used to create application sandboxes. The most common sandbox you may be familiar with is the Chrome sandbox. You can read in detail about the Chrome sandbox here:chromium.googlesource.com/chromium/src/+/master/docs/linux_sandboxing.md. The relevant aspect for this article is the fact it uses user namespaces and seccomp. Other deprecated features include AppArmor and SELinux. Sound familiar? That’s because containers, as you’ve come to know them today, share the same features.
Why are containers not currently being considered a “sandbox”?
One of the key differences between how you run Chrome and how you run a container are the privileges used.
Read more at Jessie Frazelle's Blog