Comment by codethief

Comment by codethief 3 days ago

0 replies

View on Hacker News

> A quick search makes it seem like CRIs are trying to define their own custom Landlock interface.

Are you referring to [0, 1]?

> But if the CRI just blocks the syscalls by default

Does it? Where are you getting this from?

> I might be missing the whole idea here, but I really don't see why we need some custom layer in the middle instead of having container runtimes let the security syscalls through?

Because in the latter case you have to trust the application it will actually do the appropriate locking?

[0]: https://github.com/opencontainers/runc/issues/2859

[1]: https://github.com/opencontainers/runtime-spec/issues/1110