PostgreSQL considers seccomp() filters
PostgreSQL considers seccomp() filters
Posted Oct 3, 2019 8:51 UTC (Thu) by Cyberax (✭ supporter ✭, #52523)In reply to: PostgreSQL considers seccomp() filters by cyphar
Parent article: PostgreSQL considers seccomp() filters
> I reckon that the right combination of bind-mounts and AppArmor/SELinux would be a far more effective method for doing this without all of the foot-guns.
SELinux is never a solution...
SELinux is never a solution...
AppArmor has several problems, though. In particular, it can't be effectively used in unprivileged contexts. For example, you can't run a program that you just compiled with a custom policy.
It also was not possible to use AppArmor from inside containers (has this changed?).