[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [atomic-devel] systemd as pid 1 in an unprivileged container.


Tobias Florek <atomic ibotty net> writes:

> now that systemd conference has been a success, I wanted to ask whether
> you had a chance to look into it?

I was playing around with bubblewrap and systemd.  I've submitted some
patches for systemd that got merged:


they enable systemd to work without CAP_AUDIT[READ|WRITE] and not fail
when setgroups is disabled (can be done through /proc/PID/setgroups).

I have more patches to bubblewrap:


that are needed to run systemd in it.  I think the overall design, and
that some caps are left only when in a new  user namespace is safe.
Anyway, they require a very accurate review, as a bug there can open the
door to really bad things.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]