Although it is not a sandboxing solution Using `openat2(2)` with `RESOLVE_IN_ROOT` and `RESOLVE_NO_MAGICLINKS` add a bit more security especially if running as non-root and no sandboxing option is available.
This was requested to be able to run inside an OpenShift unprivileged pod where "virtiofsd is already in a container". The OSP seccomp policy denies CLONE_NEWUSER and NO_NEW_PRIVILEGES is turn on by default. This could be useful in combination with !136, related: #63 --- https://gitlab.com/virtio-fs/virtiofsd/-/merge_requests/141 _______________________________________________ Virtio-fs mailing list [email protected] https://listman.redhat.com/mailman/listinfo/virtio-fs
