Docker

Chrome/chromium uses 'sandboxing' to protect itself from untrusted code downloaded from the web. This is good. It does this (in part) using containerization, using syscalls that one would not normally expect from a simple application. So just putting the app in a docker container doesn't work, because the default permissions Docker puts on a container are too restrictive.

The dumbest reflex is to disable sandboxing. That reduces security. The other dumb reflex is to run the docker container in privileged mode, essentially allowing it anything. That also reduces security.

Slightly smarter is to only add some capabilities to the Docker container. The one most often used is SYS_ADMIN. Alas, that amounts to making the container setuid root.

This excellent page by Nicolas Portmann however is not stupid, especially the part on seccomp. Now we can add only the capabilities we actually need.

[1]


[1] Of course, if some evil code is able to break out of the sandbox and take over the Docker container, chances are it will also be clever enough to break out of Docker. After all, the same kernel that runs your system is still exposed to it. We are mainly protecting ourselves here from mistakes in the conferencing software itself, and especially in its packaging.