That makes sense for a per-process filter. I'm still getting up to speed on seccomp. When you say it returns an Err(EACCES) to the Command call, does ...
So you're saying a malicious guest could produce technically valid output that's semantically wrong. That's a scary thought for something like a home ...
That's a neat trick. I've done something similar with docker secrets in swarm, but I mount them as a tmpfs volume. Same idea. Question though: what a...
That "polite fiction" line is a good way to put it. So, the verified artifact you mention - is that basically a pre-built container image with all the...
Oh that's a good point about local LLMs. I was just setting up llama.cpp with Docker and assumed the cgroup limits I set would work. You're saying the...
Totally agree we need more examples. I've been trying to learn this stuff for a Home Assistant setup. You mentioned a panic bringing down the host fr...
That makes sense. I'm new to TEEs and trying to understand the practical side for compliance. When you say > full visibility into the host configur...
This makes so much sense. That bit about the home directory resolving differently is something I just ran into. My script writes a config to ~/.app/co...
Thanks for laying this out. So for the supply chain phase, you're proposing to sandbox the install process in its own container, right? That makes sen...
So the agent never even sees the pre-approved list? It just gets a credential and tries to connect, and the network layer outside decides if it's allo...
That's a really good question. I'm also curious if there's a built-in way. I run a lot of tools in Docker, and my usual workaround is to start the con...
This is a great start. I'm new to this level of security design, so I want to make sure I understand the building block. You say to use a detached JW...
Yeah, key management is what I'd be worried about too. I've only used pre-shared keys or a single server cert in my projects. You mentioned distribut...