Reply to thread

Message

<blockquote data-quote="notabot" data-source="post: 797184" data-attributes="member: 75970">My understanding is the same, at dev time sandbox parameters can be determined, I haven’t seen anything that indicates the existence of runtime configuration but maybe it exists and but it’s hard to find documentation for it ?).What is the isolation though, does it mean that the sandboxed program is protected from injections ? Does it protect other processes from the sandboxed program ?I think it’s not about 0day Protection but about mitigation, the exploited program will be more contained (that’s the case eg for Docker containerisation in Linux )Eg in Linux each sandbox sees its own kernel namespace, it’s cant even see processes/threads on the host OS exist and for filesystem it can only see what has to explicitly be mounted at load time. I don’t have the same level of understanding with respect to&nbsp; what AppContainer does.</blockquote>

[QUOTE="notabot, post: 797184, member: 75970"] My understanding is the same, at dev time sandbox parameters can be determined, I haven’t seen anything that indicates the existence of runtime configuration but maybe it exists and but it’s hard to find documentation for it ?). What is the isolation though, does it mean that the sandboxed program is protected from injections ? Does it protect other processes from the sandboxed program ? I think it’s not about 0day Protection but about mitigation, the exploited program will be more contained (that’s the case eg for Docker containerisation in Linux ) Eg in Linux each sandbox sees its own kernel namespace, it’s cant even see processes/threads on the host OS exist and for filesystem it can only see what has to explicitly be mounted at load time. I don’t have the same level of understanding with respect to what AppContainer does. [/QUOTE]

Verification