From c3ac2c84788b685e262f8f7771dc6f191df5f7f2 Mon Sep 17 00:00:00 2001 From: Tommy Date: Fri, 19 Aug 2022 19:36:59 -0400 Subject: [PATCH] Typo fix Signed-off-by: Tommy --- content/os/Desktop-Linux-Hardening.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/os/Desktop-Linux-Hardening.md b/content/os/Desktop-Linux-Hardening.md index cfb8a99..95d14da 100644 --- a/content/os/Desktop-Linux-Hardening.md +++ b/content/os/Desktop-Linux-Hardening.md @@ -148,7 +148,7 @@ You can make your own AppArmor profiles, SELinux policies, Bubblewrap profiles, If you’re running a server, you may have heard of Linux Containers. They are more common in server environments where individual services are built to operate independently. However, you may sometimes see them on desktop systems as well, especially for development purposes. -[Docker](https://en.wikipedia.org/wiki/Docker_(software)) is one of the most common container solutions. It is **not** a proper sandbox, and this means that there is a large kernel attack surface. You can should the [Docker and OCI Hardening](/os/docker-and-oci-hardening/) guide to mitigate this problem. In short, there are things you can do like using rootless containers (either through configuration or through using [Podman](https://podman.io/)), using a runtime which provides a psuedo-kernel for each container ([gVisor](https://gvisor.dev/)), and so on. +[Docker](https://en.wikipedia.org/wiki/Docker_(software)) is one of the most common container solutions. It is **not** a proper sandbox, and this means that there is a large kernel attack surface. You should follow the [Docker and OCI Hardening](/os/docker-and-oci-hardening/) guide to mitigate this problem. In short, there are things you can do like using rootless containers (either through configuration or through using [Podman](https://podman.io/)), using a runtime which provides a psuedo-kernel for each container ([gVisor](https://gvisor.dev/)), and so on. Another option is [Kata containers](https://katacontainers.io/), where virtual machines masquerade as containers. Each Kata container has its own Linux kernel and is isolated from the host.