On Wed, Jul 12, 2017 at 01:53:23PM +0200, Kevin Kofler wrote:
It is clear that confining applications to a container helps
lot. But there ought to be a way to do it without physically duplicating
everything. How about building a virtual file system view (file system
namespacing exists in the kernel these days, doesn't it?) that contains a
read-only view of the system /usr (and possibly other needed directories),
together with other directories mounted off a container image or a tmpfs?
already possible to some extent with systemd directives, for system
DynamicUser=yes or dedicated user with User=,
+ InaccessiblePaths to "subtract" + BindReadOnlyPaths to "add",
and PrivateTmp/Private*/ProtectSystem + SystemCallFilter to implement the
(Or maybe RootImage or RootDirectory should be used to construct the
visible file system from scratch, binding in "external" stuff using
BindPaths and BindReadOnlyPaths. Dunno.)
Of course none of this is competition for flatpack currently, because
it's not automatized and requires privileges.
It would be interesting how to see how far this can be taken.