Post Syndicated from original https://lwn.net/Articles/899281/

On the first day of the 2022 Linux
Security Summit North America (LSSNA) in Austin, Texas, Stéphane Graber
and Christian Brauner gave a presentation on using system-call interception
for container security purposes. The idea is to allow unprivileged
containers, those without elevated privileges on the host, to still
accomplish their tasks, some of which require privileges. A fair amount of
work has been done to make this
viable, but there is still more to do.