undefined | Better HN

0 pointsNewJazz1y ago0 comments

If it is running as root, can't it just manipulate its mount namespace at will? Mount devtmpfs, then mount user partitions.

0 comments

I believe one can use "capabilities" and seccomp to lock down a superuser process.

Systemd can put it in its own namespaces, like a container

j / k navigate · click thread line to collapse

I believe one can use "capabilities" and seccomp to lock down a superuser process.

Systemd can put it in its own namespaces, like a container

j / k navigate · click thread line to collapse