Artwork

Контент предоставлен Firo Solutions. Весь контент подкастов, включая эпизоды, графику и описания подкастов, загружается и предоставляется непосредственно компанией Firo Solutions или ее партнером по платформе подкастов. Если вы считаете, что кто-то использует вашу работу, защищенную авторским правом, без вашего разрешения, вы можете выполнить процедуру, описанную здесь https://ru.player.fm/legal.
Player FM - приложение для подкастов
Работайте офлайн с приложением Player FM !

Security Headlines bubblewrap podcast special

43:02
 
Поделиться
 

Manage episode 300249067 series 2971726
Контент предоставлен Firo Solutions. Весь контент подкастов, включая эпизоды, графику и описания подкастов, загружается и предоставляется непосредственно компанией Firo Solutions или ее партнером по платформе подкастов. Если вы считаете, что кто-то использует вашу работу, защищенную авторским правом, без вашего разрешения, вы можете выполнить процедуру, описанную здесь https://ru.player.fm/legal.

In modern stacks, a large chunk of applications run in container environments

such as docker and systemd-nspawn. However, these applications are not built for security.

The security community has proven it again and again that privilege escalation attacks

are very serious with attacks such as Dirty Cow and CVE-2016-3135.

A way to tackle the problems of running applications with a low privilege user without

that application being able to interact with other running applications is to use *user namespaces*.

Using user namespaces you can hide process id's to the applications and provide a more sandboxed environment.

Alex wanted to the distribution of multiplatform applications easy

which led him to sandboxing and namespaces, today he

maintains the "chroot on steroids" project *bubblewrap* which is a sandbox platform for running

sandboxed applications in different namespaces.

Alex is also a long time user of Linux, with 20 years working for Redhat.

He started to code on the commodore 64 and has been a developer ever since. In school he

got introduced to Solaris and jumped deeper and deeper into Linux rabbit hole.

Working on Linux allows Alex to work from home in the suburbs of Stockholm

and work on programs that get used by a global user base.

In this episode, we talk about how it has been to work on sandboxed

desktop applications and how flatpak has grown.

So far there a has been a handful of different CVE's for bubblewrap

that we talk about.

Flatpak has gotten bigger and bigger and "flathub" has come to see the light

, flathub is a place where all Linux users can get sandboxed desktop

applications.

Flathub is running on a stable Rust backend, Alex picked Rust to be the backend as one of his first larger Rust projects.

We of course talk about how Rust is becoming more part of our daily lives

as more and more applications are being ported to it, like librsvg journey from being written in C to now being a rust code base, as well as libraries

being written in Rust.

If you are maintaining an application with a graphical user interface and you target

an audience that is running Linux on the desktop, we recommend

that you get your application on flathub.

Here is a guide on how you can do that:

https://github.com/flathub/flathub/wiki/App-Submission

This podcast was made possible with running zoom with flatpak:

$ flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo

$ flatpak install flathub us.zoom.Zoom

$ flatpak run us.zoom.Zoom

External links:

https://github.com/containers/bubblewrap

https://flathub.org/home

https://en.wikipedia.org/wiki/Slirp

https://github.com/rootless-containers/slirp4netns

https://podman.io/

https://github.com/GNOME/librsvg

https://blogs.gnome.org/alexl/

https://twitter.com/gnomealex

https://lkml.org/lkml/2016/3/9/555

https://lwn.net/Articles/657744/

https://blog.firosolutions.com/

  continue reading

25 эпизодов

Artwork
iconПоделиться
 
Manage episode 300249067 series 2971726
Контент предоставлен Firo Solutions. Весь контент подкастов, включая эпизоды, графику и описания подкастов, загружается и предоставляется непосредственно компанией Firo Solutions или ее партнером по платформе подкастов. Если вы считаете, что кто-то использует вашу работу, защищенную авторским правом, без вашего разрешения, вы можете выполнить процедуру, описанную здесь https://ru.player.fm/legal.

In modern stacks, a large chunk of applications run in container environments

such as docker and systemd-nspawn. However, these applications are not built for security.

The security community has proven it again and again that privilege escalation attacks

are very serious with attacks such as Dirty Cow and CVE-2016-3135.

A way to tackle the problems of running applications with a low privilege user without

that application being able to interact with other running applications is to use *user namespaces*.

Using user namespaces you can hide process id's to the applications and provide a more sandboxed environment.

Alex wanted to the distribution of multiplatform applications easy

which led him to sandboxing and namespaces, today he

maintains the "chroot on steroids" project *bubblewrap* which is a sandbox platform for running

sandboxed applications in different namespaces.

Alex is also a long time user of Linux, with 20 years working for Redhat.

He started to code on the commodore 64 and has been a developer ever since. In school he

got introduced to Solaris and jumped deeper and deeper into Linux rabbit hole.

Working on Linux allows Alex to work from home in the suburbs of Stockholm

and work on programs that get used by a global user base.

In this episode, we talk about how it has been to work on sandboxed

desktop applications and how flatpak has grown.

So far there a has been a handful of different CVE's for bubblewrap

that we talk about.

Flatpak has gotten bigger and bigger and "flathub" has come to see the light

, flathub is a place where all Linux users can get sandboxed desktop

applications.

Flathub is running on a stable Rust backend, Alex picked Rust to be the backend as one of his first larger Rust projects.

We of course talk about how Rust is becoming more part of our daily lives

as more and more applications are being ported to it, like librsvg journey from being written in C to now being a rust code base, as well as libraries

being written in Rust.

If you are maintaining an application with a graphical user interface and you target

an audience that is running Linux on the desktop, we recommend

that you get your application on flathub.

Here is a guide on how you can do that:

https://github.com/flathub/flathub/wiki/App-Submission

This podcast was made possible with running zoom with flatpak:

$ flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo

$ flatpak install flathub us.zoom.Zoom

$ flatpak run us.zoom.Zoom

External links:

https://github.com/containers/bubblewrap

https://flathub.org/home

https://en.wikipedia.org/wiki/Slirp

https://github.com/rootless-containers/slirp4netns

https://podman.io/

https://github.com/GNOME/librsvg

https://blogs.gnome.org/alexl/

https://twitter.com/gnomealex

https://lkml.org/lkml/2016/3/9/555

https://lwn.net/Articles/657744/

https://blog.firosolutions.com/

  continue reading

25 эпизодов

Все серии

×
 
Loading …

Добро пожаловать в Player FM!

Player FM сканирует Интернет в поисках высококачественных подкастов, чтобы вы могли наслаждаться ими прямо сейчас. Это лучшее приложение для подкастов, которое работает на Android, iPhone и веб-странице. Зарегистрируйтесь, чтобы синхронизировать подписки на разных устройствах.

 

Краткое руководство

Слушайте это шоу, пока исследуете
Прослушать