"Download Source" vs "Star/Fork/Issues/Pull Requests" at GitHub? Is it just me, but when I see a project not using GitHub/Bitbucket, its credibility drops drastically? Of course, there are others like Linux distros, GNU, etc., but we know and understand the motivation there.
I doubt it's just me though. Our lives are driven by heuristics and one of those is: "If something deviates from the norm, it's risky." For good or bad, the norm today is GitHub.
This is a really good concept. Not sure docker as configured will provide sufficient isolation, but with strict SElinux/AppArmor controls it is going to be way better than just hoping something you got from a PPA/pip/npm is safe. It is also good to see this as a security-in-depth component. Maybe those bash exploits wouldn't have been so catastrophic if everything touching the outside world was confined by default.
Also, since writing SElinux controls is so hard, this is a great way to package those controls for end users.
Docker knows how to automatically configure AppArmor and SELinux to contain the containers. Seems almost redundant, but if you like checking twice, that's definitely a supported feature of Docker.
You are over simplifying. The generic policies that are applied to an LXC instance are a trade-off between usability and security. A tightly bounded security policy will allow possibly correct behavior and nothing more, and this is very specific to the program.
Additionally, different parts of the program may need different policies. For example, qmail is structured to have components with different confinment policies. (See http://linux.die.net/man/8/qmail_selinux).
12 comments
[ 3.1 ms ] story [ 35.3 ms ] threadIt may be just you. Why does the credibility drop if it isn't using GitHub/BitBucket as long as the code is available easily?
Also, since writing SElinux controls is so hard, this is a great way to package those controls for end users.
Additionally, different parts of the program may need different policies. For example, qmail is structured to have components with different confinment policies. (See http://linux.die.net/man/8/qmail_selinux).
In fact many programs need to be restructured in this way. It is noticeable that Mac App Store programs are given very limited access and many needed to be extensively modified (http://arstechnica.com/apple/2011/07/mac-os-x-10-7/9/). It seems Ubuntu is on the same course: https://wiki.ubuntu.com/SecurityTeam/Specifications/Applicat...