Open aarontp opened 5 years ago
We should fully sandbox the dependencies and especially the binary dependencies. See https://github.com/google/turbinia/issues/429 for some related notes.
Some related links: https://zwischenzugs.com/2018/05/05/sandboxing-docker-with-googles-gvisor/ https://cloud.google.com/blog/products/gcp/open-sourcing-gvisor-a-sandboxed-container-runtime
All workers are run out of containers now, but since docker isn't considered a security boundary on it's own I updated the description to be more specific to that.
We should fully sandbox the dependencies and especially the binary dependencies. See https://github.com/google/turbinia/issues/429 for some related notes.