firecracker-microvm/firecracker
在 GitHub 查看Investigate running the jailer with reduced set of capabilities
Open
#1,190 创建于 2019年7月22日
Good first issuePriority: LowStatus: ParkedType: Enhancement
仓库指标
- Star
- (34,348 star)
- PR 合并指标
- (平均合并 3天 17小时) (30 天内合并 67 个 PR)
描述
We currently start the jailer as the superuser (i.e. using sudo), and rely on the fact the process will deprivilege itself before exec-ing into Firecracker. It would be interesting to know if we can run the jailer using a more restricted set of capabilities instead of full superuser mode.