well, kernel issues put aside, processes in container do run a in a different cgroup, that's huge thing in terms of separation on it's own and eliminate a lot of security risks alone.
with good selinux policices and permissions you can achieve solid security.
problem is that people usually want complete opossite. They want containers (and flatpaks and other things) to access their space, so they deliberately share disks, networks and sockets (like dbus) and what not.
And they think that it keeps the same security properties...
Diacone Frost
npub1sc…mq7fu
2026-05-17 07:15:42 UTC
in reply to nevent1q…0s86
Author Public Key
npub1sceswwu9vldf0tg3nlkajutp2j4zsv35ewma9r23x8d2qa73eaaqmmq7fuSeen on
wss://relay.damus.ioPublished at
2026-05-17 07:15:42 UTCEvent JSON
{
"id": "8a2823ed1ceef9c062141fa980e40b9353b954f2840564cec99b44fd6a1ce2fc",
"pubkey": "8633073b8567da97ad119fedd9716154aa283234cbb7d28d5131daa077d1cf7a",
"created_at": 1779002142,
"kind": 1,
"tags": [
[
"alt",
"A short note: well, kernel issues put aside, processes in contai..."
],
[
"e",
"39a0d90d25651fca14d35e30a95fd3a0c67f7629f03f032784d09060f1784e25",
"wss://relay.damus.io/",
"root",
"036533caa872376946d4e4fdea4c1a0441eda38ca2d9d9417bb36006cbaabf58"
],
[
"e",
"60f25bba5ba44e74b4283cdd74c8a36b642f2a4af5c94c265f5edc959d2931df",
"wss://relay.damus.io/",
"",
"fea186c2a4678dbc437704eed2160846e8a781e5fb17056e9bb333840d5bdef2"
],
[
"e",
"ff3df37a2f1310c2e4bc3357c45a483e07f8cf7276d2b1d8bc6a3e7cd43e5497",
"wss://nostr.mom/",
"reply",
"036533caa872376946d4e4fdea4c1a0441eda38ca2d9d9417bb36006cbaabf58"
],
[
"p",
"036533caa872376946d4e4fdea4c1a0441eda38ca2d9d9417bb36006cbaabf58",
"wss://relay.primal.net/"
],
[
"p",
"fea186c2a4678dbc437704eed2160846e8a781e5fb17056e9bb333840d5bdef2",
"wss://relay.damus.io/"
],
[
"client",
"Amethyst"
]
],
"content": "well, kernel issues put aside, processes in container do run a in a different cgroup, that's huge thing in terms of separation on it's own and eliminate a lot of security risks alone. \n\nwith good selinux policices and permissions you can achieve solid security.\n\nproblem is that people usually want complete opossite. They want containers (and flatpaks and other things) to access their space, so they deliberately share disks, networks and sockets (like dbus) and what not.\n\nAnd they think that it keeps the same security properties...",
"sig": "542af1d781a6d9311f06c1474410563e6fde8cb4be938a94b46dfaea84cc4958b170dfa57b794a132a811b6fb824d5c3bf631694dd196dd5a27e0366c8dcebec"
}