jaharkes
commented
7 years ago Got one step closer to this in the opendiamond-8.1.0 release by accepting docker containers as a way to wrap and execute Diamond filters. Once all filters have been converted we can disable support for executing 'native' filter code and finally start tightening down which resources are available to the containers.
btw. ImageJ simply installs and runs Xvfb in the same container as the imagejfind filter.
Filters need to access stdio, launch helper programs, and load arbitrary libraries. They should not be able to make network connections, write files outside TMPDIR, read arbitrary files, or elevate permissions. In particular, they should not be able to modify cgroups.
(ImageJ also needs to talk with its Xvfb.)
Investigate SELinux, Linux Containers, or seccomp.