runjail
runjail copied to clipboard
debfx
ad-hoc sandboxes on Linux
Some distros have unprivileged user namespaces disabled by default (e.g. kernel.unprivileged_userns_clone sysctl). We should detect this and print a proper error (set the sysctl or use bwrap backend).
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.35.0 to 0.38.0. Commits e1fcd82 html: properly handle trailing solidus in unquoted attribute value in foreign... ebed060 internal/http3: fix build of tests with GOEXPERIMENT=nosynctest 1f1fa29 publicsuffix: regenerate...
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot] avatar"){kind=avatar}
[pasta](https://passt.top/) should allow implementing a network access mode that allows only access to the local interface.
Abstract unix sockets are bound to the network namespace. So if network access is allowed we currently can't restrict access to abstract unix sockets (e.g. X11 server).