MicroVM sandbox on Win, Mac, Linux, with policy engine(docs.docker.com) |
MicroVM sandbox on Win, Mac, Linux, with policy engine(docs.docker.com) |
I don't really understand why anyone needs a bunch of new ways to say "run this without giving access to anything on my system", because I feel like we already have a ton of solutions for that. The hard problem is figuring out how to say "run this with access to some things on my system without making it incredibly tedious to specify those things", and from what I can tell, tools like this mostly punt on the "don't make it incredibly tedious" part by just letting you dump a bunch of manual settings in a config file and then assuming that people will share them after. That's a reasonable place to draw the line if you're an individual developer writing your own bespoke tool for how you want to sandbox things, but coming from maybe the most widely used container system in existence, shouldn't the bar be a bit higher?