Open chmanchester opened 5 years ago
@jld, I believe you have some expertise in this area. Does my assessment above seem accurate? In other words, if we're not doing anything significant with cgroup configuration, is there any point to creating a cgroup namespace for the spawned process?
We're passing
--unshare-croup
to bubblewrap, which fails on older kernels without cgroup namespaces. My understanding of cgroup namespaces from reading their documentation is that they provide isolation primarily for cgroup properties themselves. We're not doing anything interesting with cgroup settings for sandboxed builder processes, so this doesn't seem to be offering meaningful isolation at this point.