We have various cases where we want an application to check/parse/transform some form of untrusted binary input (be it an image, a video, a postscript/pdf, etc), and we just execute another binary to handle the actual transformation.
We want the application secrets not to be easily accessible from said binary, and traditionally limit execution with a combination of firejail profiles and (from MediaWiki) limit.sh.
It appears that firejail doesn't work well out of the box within docker (see https://github.com/netblue30/firejail/issues/2579), and limit.sh seems to rely on the ability to modify the global cgroup hierarchy, which I doubt works within any container runtime.
We need to find alternatives or this will block at least moving thumbor and MediaWiki to k8s.