The Linux kernel is not usable as a security boundary, so anyone who wants to do "shared hostin...

lifis • yesterday at 6:55 PM • 2 replies • view on HN

The Linux kernel is not usable as a security boundary, so anyone who wants to do "shared hosting" and not be hacked needs to use something else, like gVisor or firecracker VMs

The only important system that uses it as a security boundary is Android and there is mitigated by the fact that APKs need user approval, plus strict SELinux and seccomp policy plus the GrapheneOS hardening, and in this case the mitigations succeeded (https://discuss.grapheneos.org/d/35110-grapheneos-is-protect...)

Replies

dawnerd • yesterday at 7:06 PM

A LOT of websites are tenants on WHM/CPanel hosts. Not to mention how many agencies use it for their clients Wordpress sites.

➕ show 1 reply

watermelon0 • yesterday at 7:26 PM

I'm quite sure there are many application hosting providers which rely on container runtime such as runC (default runtime of containerd/Docker), and a shared kernel between users.

➕ show 1 reply

alt Hacker News

Replies