Page MenuHomePhabricator

Sandbox/limit child processes within a container runtime
Open, MediumPublic


We have various cases where we want an application to check/parse/transform some form of untrusted binary input (be it an image, a video, a postscript/pdf, etc), and we just execute another binary to handle the actual transformation.

We want the application secrets not to be easily accessible from said binary, and traditionally limit execution with a combination of firejail profiles and (from MediaWiki)

It appears that firejail doesn't work well out of the box within docker (see, and seems to rely on the ability to modify the global cgroup hierarchy, which I doubt works within any container runtime.

We need to find alternatives or this will block at least moving thumbor and MediaWiki to k8s.