podenv security for testing random projects

[abitrolly]

I am not satisfied with podman or toolbox, which doesn't protect me from the following behaviors.

1. Relabeling my HOME potentially locking up my system
2. Easily sharing my HOME with all .ssh keys with container (and toolbox is sharing HOME by default)
3. No ability to review filesystem changes and commit or discard them

There are probably other attack vectors, and as a result these tools are not really suitable for testing random projects from GitHub in isolated environment. Does podenv provide better user experience and protection for this use case?

[TristanCacqueray]

podenv uses a capability system to share host resources, see https://github.com/podenv/podenv/blob/master/docs/references/configuration.md#capabilities-list . However podenv is still using podman under the hood, thus it does not provides better protections and it does not help review filesystem changes.

Have you tried podman machine yet?

[abitrolly]

At least podenv doesn't allow everything by default, like podman. Although some explanations are needed for capabilities. Like what exactly does hostfiles capability do? Or how security can be affected if, for example, terminal interactive mode is enabled..

Have you tried podman machine yet?

No. My laptop is only 8Gb, which is not a good option for VMs. What virtual machine engine does it use?

[TristanCacqueray]

hostfiles replaces file paths found in the command line arguments with bind mount for the container. See: https://github.com/podenv/podenv/blob/master/docs/tutorials/create.md

I meant virtual machine provides better protections.

[abitrolly]

By better protections do you mean that podman is inherently insecure?

[TristanCacqueray]

@abitrolly no, I mean that virtual machine adds an extra layer by running a nested kernel.